The California Consumer Privacy Act (CCPA) was enacted in January of 2020 to protect the personal information of California residents. In early March of 2020, the California Office of the Attorney General released a set of proposed revisions to the CCPA draft that would alter the regulations. Beginning July 1, the Attorney General’s office will be enforcing the regulations with penalties, which is more authoritative than when consumers were bringing private rights of action. With this new enforcement, businesses need to actively prepare their systems to comply with the data protection laws.
Public Provides Changes to the CCPA Laws
The California Attorney General submitted the final text of the CCPA to the California Office of Administrative Law (OAL) on June 1 after taking into consideration comments from the public. In the original version, businesses had to notify a consumer when their personal data was being collected, how it was used, and who it was sold to.
Consumers could also request to have their data removed from a business or third party who received the information in a sale. The final main point was for a “do not sell my information” button to be on the homepage of businesses. After public commenting, the Attorney General’s office created a new draft of the law that included the following changes:
- New Definitions: The phrases “financial incentives” and “price or service differences” are tied to whether a program, benefit, or the like is related to the collection, retention or sale of information. Additionally, the portion of the law relating to what qualifies as “personal information” has been removed.
- Notice of Personal Data Collection: Businesses do not have to give notice to the consumer if the personal data they collect is indirect and the data is not sold. Notices do not need to include a link to the company’s privacy policy.
- Right to Opt-Out of Sale of Personal Data: Businesses must still provide a way to let consumers opt-out of having information sold, but there is no longer guidance on a uniform opt-out button for all businesses.
- Privacy Policy: Businesses must identify the categories of sources where they collected personal information. They must also identify the business or commercial purpose for collecting and selling personal information in terms the consumer can understand. Finally, businesses must describe the opt-in process for children under 16 years of age.
- Service Providers: Some wording in this portion was changed and the service providers are now permitted to use personal information to build or improve the quality of their services.
- Requests to Know and Delete: the requirement of businesses to ask a consumer if they want to opt-out of data sales when responding to a deletion request, was removed. They must also ask this question if they deny the deletion request.
Finding Tarnished Businesses in the Golden State
Starting next month, the Attorney General of the state may enforce consequences of violating the CCPA laws after a 30-day notice. These consequences include penalties of up to $2,500 per violation or up to $7,500 per intentional violation. Companies are required to provide residents of the state with a copy of any personal data they have and prove they are reasonably protecting that information.
Individuals may file a class action lawsuit or the Attorney General can bring action against the company if the data is not properly secured. This means a business with several databases-worth of information must now secure it to avoid a potential penalty. The more data a company has, the harder it is to secure it all and many businesses have not had to deal with regulation like this before.
Getting Down to the Business of Data Protection
The first step in protecting data is to locate where it lives and determine what files are considered to be “personal information.” Some actions businesses should take to prepare for data protection requests include:
- Update privacy policies on your website to ensure consumers understand their rights and the new CCPA laws.
- Keep an easy-to-use inventory of consumer data to respond to requests in a timely manner.
- Ensure your service providers are also following CCPA rules to protect your business as well as consumer data.
SecureData is committed to data security and offers a variety of products and services to maintain GDPR and HIPAA compliance. Our hardware encrypted storage devices prevent unauthorized parties from accessing the data and are FIPS 140-2 Level 3 Validated for total security. Corporations can implement these devices into their existing operations and will successfully protect data as they transition to following these new standards. To learn more about our line of storage products or our other data security services, call (800) 520-1677.