The California Consumer Privacy Act (CCPA)
Have you noticed recently that many of the web sites you visit now have a link or banner that displays additional information for “California Residents”? When clicking on the link, you learn about all the additional protections around the privacy and security of your personal information. For example, a few of the highlights of CCPA include:
- The right to know what personal information has been collected
- The right to have your personal information permanently deleted
- The right to “opt-out” of the sale of your personal information
- The right to know when your information is sold and to whom it was sold
- The right to know exactly what information about you a company possesses
Additionally, companies that store or process your personal information have certain obligations and responsibilities. Among those are:
- Detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity; and act against those responsible for that activity.
- Use the information for purposes that are reasonably aligned with the expectations of the consumer based on the consumer’s relationship with the business.
- Identify the categories of information collected by the business about the consumer and understand where that information is stored, processed, and/or transmitted.
- Provide clarity to the consumer about how the information is used and disclosed and the consumer’s options the use and disclosure of that information.
- Provide a clear and conspicuous link on the business’ Internet homepage, titled “Do Not Sell My Personal Information,” to an Internet web page that enables a consumer, or a person authorized by the consumer, to opt out of the sale of the consumer’s personal information.
We’re often asked if a company does not reside in California, are they subject to this rule? While the CCPA is a newer regulation, there is legal precedence set by California Senate Bill 1386 (a similarly intended California law regulating the privacy of personal information) that states that an out-of-state corporation that has personal information relating to a California resident would fall under this statute.
Additionally, it appears that other states are enacting laws and regulations modeled after the CCPA and GDPR (Europe’s General Data Protection Regulation). Over time, as information becomes more portable and available, additional regulations will be developed and imposed.
Organizations that adopt a security framework that includes identifying and classifying information, tracking risk and compliance objectives, and training their workforce find themselves prove to be in a much better position to digest these new regulations. In many cases, specifically in the healthcare industry where the sensitivity of personal information is closely monitored, implemented controls exist to meet these requirements. Understand your obligations.