On the 1 January 2020, the California Consumer Privacy Act (CCPA) will enter into application. Widely considered to be one of the most significant legislative privacy developments in the US, the legislation will also have a major impact globally given the size of California’s economy.
In many respects, the CCPA is leading the way for substantial change to the privacy compliance landscape in the US. The focus of the CCPA relates to individual consumer rights, including placing obligations on businesses to inform consumers what personal data will be collected and for what purpose – at or before the collection takes place.
Since its enactment, there has been an unprecedented volume of legislative proposals regulating data privacy at the state level. This burst of interest has resulted in numerous laws: on data security, on internet service provider (ISP) privacy, on specific types of data, and on comprehensive data privacy.
This includes Maine and Nevada, both of which have passed their own new privacy laws relating to consumer rights (although Maine’s law only applies to ISPs), as well as laws that are in differing stages of discussion and amendment in state governments including Louisiana, New Jersey, Texas, Vermont and Washington. Most of these laws focus on the individual rights obligations found in the CCPA but GDPR- like obligations were found in the failed Washington Privacy Act and one of the two bills proposed in Texas.
While Nevada’s new privacy legislation will come into effect on 1 October 2019 before the CCPA (1 January 2020), it only applies to companies or individuals operating commercial services online, requiring these operators to gain permission from consumers to sell their personal data.
Meanwhile, the Louisiana bill is focused on protecting consumers when using the internet and social media. However, one of the definitions of the law appears to relate to any individual in the state operating a commercial website, which clearly would have significant implications for a large number of businesses and organisations.
Although it is not an omnibus-style law like the European Union General Data Protection Regulation (GDPR), many consider that the CCPA has been inspired in part by the GDPR. This is particularly the case around data subject rights.
Those companies that are now broadly compliant with GDPR will have taken several key steps during this process that can also be used to ensure compliance with the CCPA as well as several of the other state laws undergoing proposal in the US.
An example of this is Article 30 of the GDPR, which features multiple obligations relating to the ‘records of processing activities’, requiring businesses to, among other things, keep a record of how and why they have processed customer data. This record can be enhanced to document processing activities related to California residents’ information to meet some aspects of CCPA compliance.
However, it is also important to note that not all policies implemented to ensure GDPR compliance marry up exactly with the requirements of the CCPA. For example, deletion exceptions constitute one such area. While both regulations provide the consumer with the right to request that personal information about them is deleted, they are framed differently. In the case of the CCPA, deletion exceptions focus on questions related to whether it is necessary to maintain data for a certain action as opposed to whether the data meets certain ‘static’ characteristics and there are multiple exceptions.
While there are both subtleties and, in some cases, significant differences among the raft of privacy legislations sweeping the US and the rest of the globe, it is also the case that there are multiple commonalities in terms of the requirements for businesses when bills are passed.
With this in mind, businesses must focus attention on getting ready for the CCPA and other forthcoming laws now by laying the foundations for a comprehensive privacy program and therefore minimising the length of their journey to compliance. From a practical perspective, this means taking steps such as identifying all of the goals of the business in relation to privacy compliance, ensuring there is awareness of where consumer data is currently stored, and developing new processes or enhancing existing ones on how to fulfil a data subject request.
Businesses cannot afford to adopt a ‘wait and see’ approach when faced with preparation for compliance with privacy legislation such as the CCPA. They must get started now and look to build a privacy compliance infrastructure that will help minimise overall time to compliance with multiple laws in the US and around the world.
By Teresa Troester-Falk, Chief Global Privacy Strategist at Nymity
PrivSec Conferences will bring together leading speakers and experts from privacy and security to deliver compelling content via solo presentations, panel discussions, debates, roundtables and workshops.
For more information on upcoming events, visit the website.
We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.
Privacy Culture: Data Privacy and Information Security Consulting, Culture & Behaviour, Training, and GDPR maturity, covered. https://www.privacyculture.com/