It’s Here! The California Consumer Privacy Act
The European Union has assembled much of its data privacy rules under the General Data Privacy Regulations (GDPR). While it’s expansive, this rule also streamlines under one standard how businesses can achieve compliance. Some international businesses have adopted the GDPR framework worldwide to simplify their business operations.
In contrast, the United States has operated amid a patchwork of privacy regulations, with laws applied to specific industries, markets, types of personal information and other factors. These include such rules as the Driver’s Privacy Protection Act, Children’s Online Privacy Protection Act (COPPA), Payment Card Industry Data Security Standard (PCI DSS), Health Information Portability and Accountability Act (HIPAA), and more.
Given the chance for confusion amid the US regulatory patchwork, California has taken the lead to adopt a wide-ranging consumer privacy law. Because of the state’s size and reach, it’s likely that this rule’s tenets will be adopted by other states, if not the federal government itself at a later point.
The California Consumer Privacy Act establishes significant requirements regarding handling of personal information related to consumers. Some may think it only applies to California-domiciled businesses, but this is a mistake; it applies to ANY business that collects or works with California resident personal information and fits any of the following criteria:
- Annual gross revenues over $25 million
- Annually receives or discloses personal information related to 50,000 or more California residents or households
- Derives 50% or more of annual revenues from selling California residents’ personal information
Not sure if your company is impacted? Complete this quick assessment. View tool: https://www.syntrio.com/resources/compliance-training/ccpa-does-it-apply-to-you/
The CCPA requires businesses to take several steps that, broadly, provide California consumers with five basic rights:
- Right to know about the business’s practices in collecting personal information, including why it is collected and how it is categorized
- Right to review personal information about the consumer that the business collects or maintains
- Right to opt out of the business sharing personal information related to the consumer with third parties for marketing
- Right to delete related personal information
- Right to not to be discriminated against for exercising the above rights.
Further, the CCPA requires that a business’s employees be trained if they are charged with responding to consumer requests pertaining to these above rights.
Many businesses may decide that training other employees is important given within an organization the degree to which personal information is collected, handled, processed, shared, transferred, and disclosed to others.
Syntrio has recently released its California Consumer Privacy Act training courses, relevant to any employee who is responsible for, or works regularly with, California consumer personal information. This training outlines the steps businesses must take to comply with these rights, and other compliance standards that a business must comply with, such as working with vendors and other third parties.
More information of Syntrio’s CCPA course: https://www.syntrio.com/solutions/course-library/ethics-compliance/privacy/california-consumer-privacy-act/