It’s Here! The California Consumer Privacy Act
The European Union has assembled much of its data privacy rules under the General Data Privacy Regulations (GDPR). While expansive, this rule also streamlines how businesses can achieve compliance under one standard. Some international companies have adopted the GDPR framework worldwide to simplify their operations.
In contrast, the United States has operated amid a patchwork of privacy regulations, with laws applied to specific industries, markets, types of personal information, and other factors. These include such rules as the Driver’s Privacy Protection Act, Children’s Online Privacy Protection Act (COPPA), Payment Card Industry Data Security Standard (PCI DSS), Health Information Portability and Accountability Act (HIPAA), and more.
Given a chance for confusion amid the US regulatory patchwork, California has taken the lead in adopting a wide-ranging consumer privacy law. Because of the state’s size and reach, other states will likely adopt this rule’s tenets, if not the federal government itself, later.
The California Consumer Privacy Act establishes essential requirements regarding handling consumer personal information. Some may think it only applies to California-domiciled businesses, but this is a mistake; it applies to ANY company that collects or works with California resident’s personal information and fits any of the following criteria:
- Annual gross revenues over $25 million
- Annually receives or discloses personal information about 50,000 or more California residents or households.
- Derives 50% or more of annual revenues from selling California residents’ personal information
Not sure if your company is impacted? Complete this quick assessment. View tool: https://www.syntrio.com/resources/compliance-training/ccpa-does-it-apply-to-you/
The CCPA requires businesses to take several steps that, broadly, provide California consumers with five fundamental rights:
- Right to know about the business’s practices in collecting personal information, including why it is collected and how it is categorized
- Right to review the personal information about the consumer that the company collects or maintains
- Right to opt-out of the company sharing personal data related to the consumer with third parties for marketing
- Right to delete related personal information
- Due to not being discriminated against for exercising the above rights.
Further, the CCPA requires that a business’s employees be trained if they are charged with responding to consumer requests about these above rights.
Many businesses may decide that training other employees is essential, given within an organization the degree to which personal information is collected, processed, shared, transferred, and disclosed to others.
Syntrio has recently released its California Consumer Privacy Act training courses relevant to any employee responsible for, or regularly works with, California consumer personal information. This training outlines the steps businesses must take to comply with these rights, and other compliance standards that a company must comply with, such as working with vendors and other third parties.
More information on Syntrio’s CCPA course: https://www.syntrio.com/solutions/course-library/ethics-compliance/privacy/california-consumer-privacy-act/