On June 28 2018, California Governor Jerry Brown signed into law AB 375, the California Consumer Privacy Act (CCPA) of 2018. The statute, seen as one of the toughest privacy laws in the United States, will require companies to tell California residents what information is being collected and how it’s used. You have 18 months to get ready.
For organizations already actively complying with the requirements of the European Union’s General Data Protection Regulation (GDPR), the CCPA will have little impact. You are already doing what you need to do to comply, as the California statute’s intent is very similar to GDPR. The goal of both of these laws — and the Australian Privacy Principles — is to give consumers ownership and control of their personal data. And it provides the legal bite to ensure compliance.
If your US-based organization, however, has not started or believes that the GDPR will not have an impact on your local business, the new law is more than a wake up call, it’s your fire alarm. And where California goes, many other states will follow.
The new law will more than likely require a thorough review of your data security controls or risk expensive litigation and fines.
Here’s a quick look at the highlights:
- California’s Attorney General’s office will have the authority to enforce the law when it goes into effect in January 2020.
- It has provisions for allowing people to tell companies to delete or stop selling their information.
- The law does not force companies to stop collecting information OR provide provisions for consumers to request companies stop collecting their information.
- Like the GDPR, the California law has a broad definition of PII (IP addresses, geo-location and browsing info [cookies])
- The California law has an exception for personal information “de-identified or in the aggregate consumer information;” however, the law doesn’t give much detail on the identifiers that are not subject to scrutiny.
- Aggregation of information might also be an alternative way for advertisers to ignore the law.
With 18 months to enforcement, companies need to start today. Most companies focused on security and compliance already maintain formalized incident response, disaster recovery/business continuity plans as well as comply with encryption/data anonymization for sensitive data storage and have gone through at least a rudimentary data-mapping process that should easily surpass the California requirements. If that isn’t the case for your organization, implement the GDPR methodologies and processes to comply with the CCPA and you will be set for any eventuality.