No Result
View All Result
SUBSCRIBE | NO FEES, NO PAYWALLS
MANAGE MY SUBSCRIPTION
NEWSLETTER
Corporate Compliance Insights
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe
No Result
View All Result
Corporate Compliance Insights
Home Data Privacy

The California Consumer Privacy Act

by Greg Sparrow
July 13, 2018
in Data Privacy, Featured
hand with barcode

What’s Next in Data Protection Laws

The GDPR went into effect at the end of May, and California could be preparing to sign a similar regulation into law in November. The California Consumer Privacy Act (CCPS) mimics the heavy regulation sof the GDPR, and it received nearly double the amount of signatures required to be placed on the ballot in November. Experts from CompliancePoint offer an analysis of the implications of the CCPA.

with co-author Matt Dumiak

Allegedly, while attending a cocktail party in California, a Google employee told Alastair Mactaggart: “If people just understood how much we knew about them, they’d be really worried.” Mactaggart, a real estate developer in California, then began contemplating the issue that has been consuming news articles the past few years: privacy in a digital world.

Between the GDPR going into effect in May of this year and the Cambridge Analytica scandal that consumed everyone’s attention this spring, privacy has become an inescapable topic. Mactaggart’s main claim is that in a world where most people have no choice but to have a phone or computer, how can they maintain control over their personal data to ensure it stays personal?

With this, he worked to develop a privacy initiative addressing these issues focusing on transparency, control and accountability. These three principles form the basis of the ballot initiative created by Californians for Consumer Privacy, the California Consumer Privacy Act (CCPA). This ballot initiative received 625,000 signatures, which is almost twice the number required for an initiative to be included on the California ballot. Overall, this act provides consumers with three fundamental rights:

  1. The right to know what personal information is being collected;
  2. The right to know what personal information is being sold and/or shared with third parties, as well as the identity of those third parties; and
  3. The right to request that their personal information no longer be sold (i.e., the right to opt out).

In addition to honoring the consumer rights listed above, businesses would be required to provide notice via the privacy policy regarding whether personal data is sold and instructions to opt out of the selling or sharing of this data. Further, businesses must allow consumers to exercise their right to opt out through, at a minimum, two methods, including a toll-free number and a URL. Should a consumer exercise one of the rights listed above, businesses would be required to respond within 45 days of the request.

As originally crafted, the CCPA would have applied to any business, regardless of location, that earns $50 million in revenue per year, sells 100,000 consumer records in a calendar year or makes 50 percent of its annual revenue from selling personal data. This broad sweeping scope should be familiar to those responsible for ensuring readiness for the GDPR and its applicability to organizations outside of the European Union.

Fast forward a month and a half after the initiative was first approved and, as of last week, Mactaggart has now agreed to a deal that would keep this initiative off the November ballot. Instead, Mactaggart and various stakeholders and state lawmakers drafted a bill that varies slightly from the CCPA, but still provides consumers with certain rights to protect their data and requires businesses to develop and implement various new policies and procedures to comply. If signed by the California governor by June 28, 2018, Mactaggart has agreed to withdraw the CCPA from the ballot.

The new bill, which is an amendment to Assembly Bill 375 (AB 375), provides similar rights to consumers to protect their personal data, but also brings key differences from the CCPA. AB 375 provides the following rights to consumers:

  1. The right to know what personal information is collected;
  2. The right to know whether their personal information is sold or disclosed and to whom;
  3. The right to opt out of the sale of their personal information;
  4. The right to access their personal information;
  5. The right to request the deletion of their personal information; and
  6. The right to equal service and price, regardless if they exercise their privacy rights.

As originally proposed, businesses have 45 days to respond to consumer requests to exercise any of their rights. The key differences between the CCPA and AB 375 are that AB 375 provides the additional right to deletion and that AB 375 does not provide for a private right of action for any violation (more on this below). Instead, AB 375 provides businesses with more allowance to limit penalty amounts. Businesses are provided a 30-day window to “cure” any alleged violations. If the business can prove the violations have been “cured” and that no further violations will occur, the state attorney general will not be able to pursue legal action. Overall, violators are facing a maximum penalty of $7,500 per intentional violation. Consumers are not provided a private right of action for violations of the rights listed above.

Additionally, AB 375 provides amended rules regarding data breaches. Consumers are provided with a private right of action and can seek damages in the event of a breach where the business has failed to implement “reasonable security procedures and practices appropriate to the nature of the information to protect the personal information.” Damages that occur as the result of a breach are limited to a maximum of $750 per consumer per incident.

AB 375 will apply to a slightly different array of businesses than the CCPA as it applies to any business that earns $25 million in revenue per year, sells 50,000 consumer records per year or derives 50 percent of its annual revenue from selling personal information. As with the CCPA, AB 375 applies to any business collecting or selling personal information from California regardless of the physical location of the business.

Should Governor Brown sign the bill by June 28, which he is likely to do, these requirements will become effective beginning January 1, 2020 and this bill will be referred to as the California Consumer Privacy Act of 2018.

Businesses subject to this bill will be required to implement various new policies and procedures ensuring the protection of personal information, including updates to privacy policies, “reasonable” security protections and facilitation of consumer rights. Each request from consumers must be formally analyzed as various scenarios may exist in which a business does not have to honor a consumer’s request to exercise one of his/her rights.

Businesses subject to these requirements must begin to map out all personal information collected and shared from Californians. This analysis should include the categories of personal information collected, why the information is collected and to whom the information is shared/sold. This will allow businesses to more easily respond to consumer requests, as businesses can probably expect a high number of requests initially.

Lastly, businesses must determine how they will comply with this new regulation – will the business honor these rights on a nationwide basis, or will the business implement a process to determine the location of the consumer making the request and only honor those requests coming from California? How will it determine this? It is likely this is the first of many data protection laws to be enacted in the United States, and companies should prepare for additional state and maybe even federal changes to how businesses can handle personal data.


Tags: California Consumer Privacy Act (CCPA)GDPR
Previous Post

Betting on Compliance: The Supreme Court’s Decision in Murphy v. NCAA

Next Post

Leveraging Search Experts and Technology for Targeted Risk Oversight

Greg Sparrow

Greg Sparrow

Greg Sparrow is Senior Vice President and General Manager at CompliancePoint. Greg has enjoyed over 17 years of experience in privacy, information security and risk management. Greg has had the pleasure of working on both US based and international projects. He was responsible for the development and implementation of the security program’s responsible for protecting billions of dollars in annual transaction volume. Greg’s most recent work includes security and certification work for Samsung Pay, enterprise risk management for multiple NFL and MLB sports teams and helping to secure critical infrastructure at some of the nation’s largest transit hubs. Greg holds multiple IT and security certifications covering the Healthcare Industry, Payment Card Industry and federal banking standards.

Related Posts

gdpr

UK Resurrects Data Protection Reforms, EU Court Rules on GDPR in Civil Cases

by Jonathan Armstrong and André Bywater
March 15, 2023

Recent courtroom and legislative action in Europe will likely have ripple effects around the world for companies subject to regulations...

eu flag

Preparing Your Company for the Latest GDPR Data Transfer Developments & Upcoming Deadlines

by Kevin L. Coy
November 30, 2022

An EU court decision and legislative moves in the U.S. and UK make compliance with privacy regulations increasingly difficult. Arnall...

minidata_b

Honey, I Shrunk the Data: How to Keep Customer Info on a Need-to-Know Basis

by Parker Poe
November 30, 2022

It may be tempting to hoard the data you have gathered on your customers, but an increasing number of regulations...

uk ico data access

UK’s Data Protection Regulator Signals Crackdown on Access Request Violations

by Jonathan Armstrong and André Bywater
October 5, 2022

Data privacy laws in the EU and UK established the right of individuals to find out what personal information organizations...

Next Post
magnifying glass on keyboard

Leveraging Search Experts and Technology for Targeted Risk Oversight

Compliance Job Interview Q&A

Jump to a Topic

AML Anti-Bribery Anti-Corruption Artificial Intelligence (AI) Automation Banking Board of Directors Board Risk Oversight Business Continuity Planning California Consumer Privacy Act (CCPA) Code of Conduct Communications Management Corporate Culture COVID-19 Cryptocurrency Culture of Ethics Cybercrime Cyber Risk Data Analytics Data Breach Data Governance DOJ Download Due Diligence Enterprise Risk Management (ERM) ESG FCPA Enforcement Actions Financial Crime Financial Crimes Enforcement Network (FinCEN) GDPR HIPAA Know Your Customer (KYC) Machine Learning Monitoring RegTech Reputation Risk Risk Assessment SEC Social Media Risk Supply Chain Technology Third Party Risk Management Tone at the Top Training Whistleblowing
No Result
View All Result

Privacy Policy

Founded in 2010, CCI is the web’s premier global independent news source for compliance, ethics, risk and information security. 

Got a news tip? Get in touch. Want a weekly round-up in your inbox? Sign up for free. No subscription fees, no paywalls. 

Follow Us

Browse Topics:

  • CCI Press
  • Compliance
  • Compliance Podcasts
  • Cybersecurity
  • Data Privacy
  • eBooks Published by CCI
  • Ethics
  • FCPA
  • Featured
  • Financial Services
  • Fraud
  • Governance
  • GRC Vendor News
  • HR Compliance
  • Internal Audit
  • Leadership and Career
  • On Demand Webinars
  • Opinion
  • Resource Library
  • Risk
  • Uncategorized
  • Videos
  • Webinars
  • Well-Being
  • Whitepapers

© 2022 Corporate Compliance Insights

No Result
View All Result
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe

© 2022 Corporate Compliance Insights

Welcome to CCI. This site uses cookies. Please click OK to accept. Privacy Policy
Cookie settingsACCEPT
Manage consent

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
CookieDurationDescription
cookielawinfo-checbox-analytics11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional11 monthsThe cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy11 monthsThe cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
Functional
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Performance
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Analytics
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Advertisement
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
Others
Other uncategorized cookies are those that are being analyzed and have not been classified into a category as yet.
SAVE & ACCEPT