California has been at the forefront of tech innovation and is leading the way as the first state to give consumers insight and control over their personal information collected online through The California Consumer Privacy Act (CCPA). The act will be effective January 1, 2020, with enforcement by the California Attorney General beginning July 1, 2020. Other states are expected to follow California’s lead.
This landmark law will have enormous impacts on the way companies doing business with California citizens collect and store data, specifically tech giants like Google and Facebook, but how will it affect your business?
CCPA is explained simply by Jeff Roberts of Forbes, “In practice, this means consumers will be able to ask anyone from Google to Starbucks to disclose what data they are collecting, simply by using a website or phone number. Those companies will also have to put a “Do Not Sell My Personal Information” button on their websites and delete the data if a consumer asks them to do so. Finally, business won’t be able to refuse services or charge higher prices if a consumer exercises these rights.”
In order to understand the impact of CCPA, more detailed aspects of the act are reviewed below.
Does your business meet the criteria of the CCPA?
The CCPA regulates covered businesses that collect, sell, or disclose consumers’ personal information in California, whether or not the business is physically located in the state. In addition, the business must meet one of the following criteria:
- Have annual gross revenue $25 million or more;
- Annually buy, receive, sell or share personal information of 50,000 or more consumers, households or devices; or
- Derive 50% or more of its annual revenues from selling consumers’ personal information.
What are the rights granted to consumers under the CCPA?
Consumers will have the right to request from businesses collecting their information:
- To disclose the categories and specific pieces of personal information collected
- The business purpose for collecting and selling their information
- The types of third parties the information is shared
- To delete any personal information
- To opt-out of the sale of their personal information
How do to comply with the CCPA?
Complying with the CCPA will require a diligent review of processes and procedures. Initial undertakings may include the following implementations:
- Updating privacy notices and policies to include the new California consumer rights, including timely notifying consumers the categories, purpose, and use of the personal information collected. Insurers conducting business in multiple states should consider either a universal or distinguished by state privacy notices.
- Updating database fields to categorize and track consumers’ personal information shared with third-parties, such as a specialty consumer reporting company that collects property and casualty claim information.
- Implementing procedures for consumers to exercise their rights. Businesses are required to provide at least two request-submission methods (at a minimum a toll-free number and a web address), promptly verifying consumer requests and responding to requests within 45 days.
- Educating employees about the CCPA and training them to properly manage consumers’ personal information and requests.
- Performing penetration and vulnerability scans to prevent data breaches in the IT infrastructure to ensure the safeguarding of consumers’ personal information.