What All Businesses Need to Know about Data Security Compliance with the California Consumer Privacy Act
This summer, California passed groundbreaking privacy rights legislation through the California Consumer Privacy Act. The law takes effect January 1, 2020 but companies need to have data tracking systems in place by the beginning of 2019. Even if your business is not located in California, you may be liable – so here’s everything you need to know to get your data security compliant.
What it the California Consumer Privacy Act?
California law AB 375 is legislation passed in June 2018 by the California State Legislature that grants unprecedented personal data privacy rights to California consumers. These five rights are now guaranteed by law:
- The right of Californians to know what personal information is being collected about them
- The right of Californians to know whether their personal information is sold or disclosed and to whom
- The right of Californians to say no to the sale of personal information
- The right of Californians to access their personal information
- The right of Californians to equal service and price, even if they exercise their privacy rights
Compliance is required for all companies who receive personal data from California residents if they – or their parent company or a subsidiary – exceed any of three thresholds:
1. Annual gross revenues of $25 million
2. Obtains personal information of 50,000 or more California residents, households or devices annually, or
3. 50 percent or more of its annual revenue come from selling consumers’ personal information
Like the EU’s General Data Protection Regulation that went into effect this spring, the Consumer Privacy Act has far-reaching effects on global business, data security trends and society’s opinions on privacy.
Data Security Compliance
Businesses are required to have “reasonable security procedures and practices,” or face penalties. With the law, consumers hold businesses directly accountable for non-compliance. They can register a complaint of privacy rights violation and companies then have a 30-day window to resolve the issue or face a fine of $7,500 per record.
AB 375 also holds businesses responsible for protecting the personal data they collect. If unauthorized access to personal data occurs, the organization will face penalties of $100 to $750 per consumer per incident, or actual damages, whichever is greater.
Unauthorized data access can stem from a breach, theft, or “disclosure as a result of the business’ violation of the duty to implement and maintain reasonable security procedures and practices.” Besides transparency about the use of consumers’ personal data, businesses are required to protect that data with a quality information security plan.
Though the law does not detail specific security requirements, companies would be wise to protect personal information to both maintain privacy and protect themselves from penalties.
What kind of data is protected?
The CCPA protects personal information, and it defines that more broadly than any legislation has before. Since you need to make sure your data security package is compliant, here’s a rundown of the types of data you are now required to secure:
- Identifiers such as a real name, alias, postal address, unique personal identifier, online identifier Internet Protocol address, email address, account name, social security number, driver’s license number, passport number, or other similar identifiers
- Characteristics of protected classifications under California or federal law
- Commercial information, including records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies
- Biometric information
- Internet or other electronic network activity information, including, but not limited to, browsing history, search history, and information regarding a consumer’s interaction with an Internet Web site, application, or advertisement
- Geolocation data
- Audio, electronic, visual, thermal, olfactory, or similar information
- Professional or employment-related information
- Education information, defined as information that is not publicly available personally identifiable information as defined in the Family Educational Rights and Privacy Act (20 U.S.C. section 1232g, 34 C.F.R. Part 99)
- Inferences drawn from any of the information identified in this subdivision to create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, preferences, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes
Data Security Tools
As described by AB 375 data threats can come in many forms – and you need to be prepared to protect against all of them.
Veriato provides a suite of tools to defend your organization from hackers, insider threats, unconscious bias and other data security risks. See how Veriato can protect your consumers’ data and help you manage compliance with the California Consumer Privacy Act.
Resources:
https://www.csoonline.com/article/3292578/privacy/california-consumer-privacy-act-what-you-need-to-know-to-be-compliant.html
https://iapp.org/news/a/analysis-the-california-consumer-privacy-act-of-2018/
Insider Risk – How Prepared Are You?
Not every company is equally prepared to deal with insider risk. This report outlines the four stages of insider risk maturity and explores how to improve your insider risk preparedness.