Friday, March 5, 2021
Corporate Compliance Insights
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Articles
    • See All Articles
    • NEW: COVID-Related
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Leadership and Career
  • Vendor News
  • Jobs
    • Compliance & Risk
    • Information Security
  • Events
    • Webinars & Events
    • Submit an Event
  • Downloads
    • eBooks
    • Whitepapers
  • Podcasts
  • Videos
  • Subscribe
No Result
View All Result
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Articles
    • See All Articles
    • NEW: COVID-Related
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Leadership and Career
  • Vendor News
  • Jobs
    • Compliance & Risk
    • Information Security
  • Events
    • Webinars & Events
    • Submit an Event
  • Downloads
    • eBooks
    • Whitepapers
  • Podcasts
  • Videos
  • Subscribe
No Result
View All Result
Corporate Compliance Insights
Home Data Privacy

California’s New Data Protection Law

by Kurt Long
September 19, 2018
in Data Privacy, Featured
closeup of man's eye overlaid with binary code

What You Need to Know

In response to widespread data privacy concerns, legislators have just passed the California Consumer Privacy Act of 2018. Here’s an overview of the new data privacy rights the law provides and what it all means for your business.

Much of the political drive behind the passage of the California Consumer Privacy Act of 2018 (CaCPA) came from major privacy scandals that have raised consumer awareness of their privacy rights and the privacy violations major businesses have made against their data. The Cambridge Analytica incident involving Facebook user data.

When the legislation goes into effect in January 2020, California will be building a path that will lead the nation regarding privacy and consumer protection issues. Its residents will be given control over their personal data. This law is not as extensive as the EU’s GDPR, but the requirements could impinge on established business models throughout the digital sector.

To prepare, organizations will need to adopt a new business strategy in which they weave privacy and security into their business model. They need to consider best practices for building trust between themselves and consumers to prepare for this and other new privacy requirements.

The New Data Privacy

Because many businesses today financially profit from the sale of consumer data, CaCPA may affect half a million businesses across the United States. It’s being described as landmark policy and is the first major data privacy law passed in the United States. The law will go into effect January 1, 2020. However, it’s expected that the law will be amended before that date to fix ambiguities and other issues arising from the one-week turnaround from draft to law.

Salesforce.com CEO Marc Benioff applauded the new law, saying it could help ease the “crisis of trust” between the technology industry and consumers. This crisis has been fueled by Facebook’s Cambridge Analytica scandal and other privacy missteps. Google has repeatedly faced FTC scrutiny over user privacy violations, and the company paid $22.5 million over its use of activity-tracking cookies on users of the Apple Safari web browser. This lack of corporate transparency has cost these companies dearly.

Consumers have become more aware lately of how little control they have over their data. People are beginning to see the impact of a data-for-service model, and grassroots movements are aligning with legislative power to return control of consumer data to their own hands.

Broadly, CaCPA guarantees Californians the right to:

  • Know what personal information is being collected about them
  • Know whether their personal information is sold or disclosed, and to whom
  • Access their personal information
  • Request a record of the types of data an organization holds about them, along with information about how that data is used for business purposes and third-party sharing
  • Request to have their data erased
  • Object to the sale of their data

The law continues to transform the way people think about privacy in the U.S. The Fourth Amendment provides what is called a “Right to Privacy,” but legally, the amendment has largely been upheld as a right to privacy against government authorities, including police. It has been weakly upheld, if at all, in relation to commercial enterprises. In effect, your home may be your castle, but your digital identity has been up for grabs.

What This Means for Your Business

If your organization meets one of the three following conditions, CaCPA applies to you:

  1. Earns $25 million or more in annual revenue (it’s not clear whether this is California revenue, or global sales)
  2. Holds the personal data of at least 50,000 people, households or devices
  3. Obtains at least half of its revenue by selling personal data

The International Association of Privacy Professionals states that an organization must also meet all of the following conditions:

  1. A sole proprietorship, partnership, limited liability company, corporation, association or other legal entity that is organized and operated for the profit or financial benefit of shareholders or other owners
  2. Collects consumers’ personal information or has someone collect it on its behalf
  3. Alone, or jointly with others, determines the purposes and means of the processing of consumers’ personal information
  4. Does business in California

Any business entity that meets all these conditions will be subject to the law, regardless of where it is located. It’s estimated the law will apply to more than 500,000 U.S. companies, most of which are small- to medium-sized. It will also impact businesses outside the U.S., as long as they do at least part of their business in California.

As people found out with GDPR, a seemingly far-off deadline can arrive sooner than anyone thought. Affected businesses can take the following steps to prepare for January 1, 2020:

  • Start updating privacy policies, California-specific rights pages and “Do Not Sell My Information” processes (if the latter applies).
  • Consider alternative business models and web/mobile presences, such as California-only sites and offerings.
  • Businesses selling or transferring data for business purposes should inventory all third parties that receive their data.
  • Inventory all the information you collect, use and store that is of a personal nature. Also map the age of your data subjects.
  • Make sure you have a designated method for submitting data access requests.
  • Put in place new systems and processes to help you comply with new requirements, including:
    • Not requiring opt-in consent for 12 months after a California resident opts out
    • Verifying the identity and authorization of people making requests for data access, deletion or portability
    • Responding to requests for data access, deletion and portability within 45 days
  • Monitor your cloud-based and mission-critical applications like Salesforce to ensure any potential breaches or data theft are quickly spotted and remediated. This can help protect you from the CaCPA’s penalty of up to $750 per resident and incident.
  • Assess how you’re collecting and handling data and how easy it is to fulfill a consumer’s request as you consider aligning yourself with the data privacy movement as a business owner. The CaCPA doesn’t require privacy awareness training, but it can be a good opportunity to assess your existing training and conduct new training if necessary.

Err on the Side of Trust

Ultimately, this type of legislation reminds businesses that protecting data privacy is more than a matter of covering your assets. Consumers are fed up with being lied to and profited from without their knowledge or consent. Such actions betray an implicit trust that exists between a provider and a customer. Laws like CaCPA are reshaping the notion of consumer privacy and, at the same time, the need for greater corporate transparency.

Moving forward, businesses will have to adjust their privacy and security efforts to secure data and earn customer trust by adhering to privacy regulations. This requires the right people, tools, processes and plan. Get started now before the fines and consumer wrath start rolling in.


Tags: CCPA/California Consumer Privacy Act
Previous Post

Directors’ and Officers’ Duty to Address Corporate Culture

Next Post

TRACE: The Alarming World of Insurance Fraud

Kurt Long

Kurt Long sets the vision, overall solution strategies and go-to-markets at FairWarning. Operationally, he coordinates the activities amongst management with a major emphasis on entrepreneurial leadership development and culture. Mr. Long is co-founder of Next Generation Entrepreneurs with the Pinellas Education Foundation, a program designed to develop conscious entrepreneurship in high school students.

Related Posts

illustration of man under giant gavel

BitPay’s $507K OFAC Sanctions Violations Settlement

March 4, 2021
The facade of the SEC in Washington, D.C.

Prepare Now to Comply with SEC’s Updated MD&A and Related Financial Disclosure Requirements

March 3, 2021
Illustration representing a facial recognition technology scan of a face.

Facial Recognition Technology in the Workplace: Employers Use It, Workers Hate It, Regulation Is Coming for It

March 3, 2021
A director contemplates information at her desk.

Key Concerns for Directors in 2021: Recovery from COVID-19 Is Top Priority

March 2, 2021
Next Post
concept of identity theft, woman's eyes covered

TRACE: The Alarming World of Insurance Fraud

OneTrust offers download to demonstrate privacy management leadership
Access realtime data
Top 10 Risk and Compliance Trends

Special Coverage

Special COVID page graphic

Jump to a Topic:

anti-corruption anti-money laundering/AML Artificial Intelligence/A.I. automation banks board of directors board risk oversight bribery CCPA/California Consumer Privacy Act Cloud Compliance communications management Coronavirus/COVID-19 corporate culture crisis management cyber crime cyber risk data analytics data breach data governance decision-making diversity DOJ due diligence ESG fcpa enforcement actions financial crime GDPR GRC HIPAA information security KYC/know your customer machine learning monitoring ransomware regtech reputation risk risk assessment Sanctions SEC social media risk technology third party risk management tone at the top training whistleblowing
No Result
View All Result

Privacy Policy

Follow Us

  • Facebook
  • Twitter
  • LinkedIn
  • RSS Feed

Category

  • CCI Press
  • Compliance
  • Compliance Podcasts
  • Cybersecurity
  • Data Privacy
  • eBooks
  • Ethics
  • FCPA
  • Featured
  • Financial Services
  • Fraud
  • Governance
  • GRC Vendor News
  • HR Compliance
  • Internal Audit
  • Leadership and Career
  • Opinion
  • Resource Library
  • Risk
  • Uncategorized
  • Videos
  • Webinars
  • Whitepapers

© 2019 Corporate Compliance Insights

No Result
View All Result
  • Home
  • About
  • Articles
  • Vendor News
  • Podcasts
  • Videos
  • Whitepapers
  • eBooks
  • Events
  • Jobs
  • Subscribe

© 2019 Corporate Compliance Insights