CCPA: A New Era of Data Privacy
As of January 1st, 2020, the California Consumers Privacy Act (CCPA) will effectively be the first major data privacy regulation for U.S. businesses. For those businesses that have yet to face new consumer data privacy regulation, CCPA can seem daunting. CCPA aims to give California consumers greater transparency into how their data is being collected and the ability to decide how that data is used. In order to achieve this, companies that conduct a significant amount of business in California must invest time and resources into understanding how they collect personal data, what happens to it, and how to best inform their customers. This article examines three essential questions that businesses may confront when approaching CCPA.
Does CCPA apply to my business?
The implications of CCPA reach far beyond the state. According to CCPA, a business must be for-profit, doing business in California, and collecting – directly or via a third party—personal data. Additionally, the business must meet one of the following criteria: claim annual gross revenue over $25 million; annually buy, receive, or share the personal information of 50,000 or more California residents, households, or devices; derive 50% or more of its revenue from selling the personal information of California residents. The application of CCPA casts a wide net well beyond the California borders depending on your customer base and revenue streams. For many companies, CCPA is the first of many “local” legislative actions which will prompt reevaluation of data privacy practices on an enterprise-wide scale.
What qualifies as “Personal Data” under CCPA?
CCPA classifies personal data into eleven categories, most notably: Identifiers, Commercial Purchasing Information, Biometric Information, Internet or Network Activity, Geolocation, and Employment or Education Information. The type of information covered by CCPA spans from the typical – name, social security number, home address—to the unconventional – audio recordings, website clicks, and GPS data. The law covers all data that is not publicly available, including fragmented information that can be pieced together to reveal personal information. For instance, nonattributable location data could qualify as personal data under CCPA because of the likelihood of association with an individual’s residence. This is one of many complexities associated with defining personal data that companies must contend with going forward.
How do I get started?
The challenge of implementing CCPA is two-fold: data governance and compliance. Data governance concerns a businesses’ awareness and management of what data it collects and how it is used. This path from origin to dissemination or storage is known as data lineage and is key to developing a strategy for data best practices. Companies should begin by identifying what type of personal data they are collecting – actively and passively – and where that data is stored – the cloud, in-house servers, or via a third party. Then, companies must take a wholistic approach to compliance that incorporates members of the management, legal, and IT teams. CCPA should be taken as an opportunity to examine the compliance structure of your business and consider radical change when necessary.
These questions are the foundation of a thorough and responsive data privacy strategy that every company should be investing in, weather or not CCPA applies to their business. CCPA is sure to be the first of many consumer data regulations as consumers become more conscious of their rights to privacy on the internet. The response to CCPA should not be a set-it-and-forget-it approach that meets the bare minimum for compliance. Businesses must adopt a strategy that offers flexibility to evolve with a fluid and dynamic data privacy landscape. Doing so represents an investment in long-term compliance and the best possible stewardship of consumer privacy.
Share