Navigating the California Consumer Privacy Act
Passed into California law on June 28th, 2018, the CCPA is the strongest privacy legislation enacted in any state at the moment, giving more power to consumers in regards to their personal data.
At its core, it aims to provide consumers with the right to know what information businesses collect about them, to tell a business not to share or sell their personal information, and to protections against businesses which do not uphold the value of their privacy.
What is the California Consumer Privacy Act (CCPA)?
The compliance deadline for the CCPA went into effect on January 1st, 2020. Organizations affected by its regulations must now undertake efforts to better identify their current data processing activities, and how these may need to be altered to ensure compliance and minimize liability. American companies that managed to skirt the sweeping regulatory demands of GDPR due to a lack of contact with European Union citizen data are much less likely to dodge responsibility stemming from the CCPA, as all data from California residents will fall under the law.
What major similarities exist between the CCPA & the Global Data Protection Regulation (GDPR)?
For organizations who are already subject to GDPR, the degree to which CCPA incorporates elements of GDPR is critical in determining how much further action is required to achieve compliance. Overlaps between the two laws will prove a relief for GDPR subject companies, as it ensures the journey to compliance with CCPA will not start at square one. Importantly, there is significant convergence between the two laws, including the demands for organizations to:
- Give individuals rights to access and delete their personal information
- Require transparency about information use
- Necessitate contracts between businesses and their service providers 2
- Require technical controls to prevent re-identification in order to consider data pseudonymized
- Take reasonable security measures as protection from data breaches 3
- Provide personal information in a readily usable and transportable format in response to a request for disclosure
About the Authors
Justin Whitaker is a Partner and Practice Lead of DayBlink’s Cybersecurity Center of Excellence and is based in the Vienna, Virginia office.
Michael Morgenstern is a Partner and Practice Lead of DayBlink’s Cybersecurity Center of Excellence, a former cybersecurity entrepreneur, and is based in the Vienna, Virginia office.
Jacob Armijo, CISM is a Senior Consultant at DayBlink and Chief of Staff of DayBlink’s Cybersecurity Center of Excellence. He is based in the Vienna, Virginia office.
Research contributions from: Harry Baker, Chloe Spetalnick, Clare Suter, and DayBlink’s Cybersecurity Center of Excellence