Following the implementation of the European Union’s General Data Protection Regulation (GDPR) earlier this year, privacy and security regulations are taking the worldby storm. The California Consumer Privacy Act, petitioned and signed June 2018, will be put into effect on January 1, 2020. Despite its smaller geographical scope, the law will have significant effect on many businesses.
The Act was approved in response to a similar initiative with stricter provisions that had been publicly petitioned in November 2017. The petitioners repealed the initiative once the Act was approved.
This act has four basic provisions:
1. Consumers have the right to know where their information is being used, where it is sourced from, if it is being shared or sold, and to whom it is being shared or sold to
2. Consumers have the right to disallow companies from sharing their information
3. Consumers have the right to ask a business to delete their personal information, with certain restriction
4. Consumers have the right to receive the same kind of service and pricing from a particular organization
Businesses will be subjected to the new law if they have an annual gross revenue of $25 million or get most of their revenues from selling, buying, or sharing personal information. Failure to comply could result in penalties up to $7,500 per intentional violation and $2,500 per unintentional violation. Businesses may also be ordered to pay $100 to $750 per resident whose information is compromised by a data breach.
To be CCPA-compliant by 2020 and avoid future penalties, there are five things to add on your checklist:
Create a database of your Californian market consisting of their names, addresses, and contact details, also including the data’s purpose and source. This makes the data more accessible as companies are required to be transparent with clients and customers about how they process data.When your consumers ask where their information have been used, it will be your responsibility to respond without charge.
The Act also requires organizations to provide their customers several means of contacting them should they want to request disclosure. The information must be provided 45 days from the time of request and with free of charge. This means that the information should be on-hand and accessible.
Though sharing some similarities with General Data Protection Regulation (GDPR), the Privacy Act also allows consumers to have their information deleted. Consumers may have their personal data deleted from the masterfile and records. This does not include information collected for transactions currently being processed or any information that is found useful for security incidents.
Put together a team that can collect the data, verify the identity of the people who would be requesting for their data, respond to the request within 45 days, and update their records should anyone opt-out of their services.
Businesses will be required to place a link on their homepages reading “Do Not Sell My Personal Information” for consumers who do not want their information being disclosed to third parties. You will also have the responsibility of keeping track of the ages of your customers. Only people aged 14 and up can avail themselves of businesses’ services online. Anyone younger would need consent from a parent or guardian.
The trend of data privacy regulations is just beginning. With California emphasizing consumer rights, other states may follow suit. Businesses must begin to adapt to know how much consumer data they have responsibility for and adjust their policies and strategies accordingly as well as remain consumer-friendly.
Though it may take some work, updating your company’s records comes with benefits. It will significantly improve your data management and will get rid of unsuccessful leads. The Privacy Act will bring to light your business’ cybersecurity issues and fix the issues to prevent future fines from data breaches. And once your contacts have been narrowed down, you will be left with people who can boost your ROI and will help you study your market more closely.
Complying with the requirements may cost you some data, but businesses that give customers access to and control over their data will enjoy increased trust and loyalty.
Wilson Consulting Group is an innovative global cybersecurity consulting firm headquartered in Washington D.C., with a European office in London.
Talk to us and we will ensure your company is compliant by the implementation of the Privacy Act. Further information is available at https://www.wilsoncgrp.com.