Complying with the Consumer Privacy Act
Data privacy has always been important. This is the reason why people put locks on filing cabinets and rent safety deposit boxes at their banks.
But as more of our data becomes digitized, and we share more information online, data privacy is taking on greater importance. A single company may possess the personal information of millions of customers—data that it needs to keep private so that customers’ identities stay as safe and protected as possible, and the company’s reputation remains untarnished.
This is also the primary reason why California just passed the California Consumer Privacy Act of 2018, Cal. Civ. Code 1798.100 et seq. (CCPA), which will require US companies to implement a number of similar privacy initiatives, which will afford California residents unparalleled (in the United States) data privacy rights. The law takes effect on January 1, 2020, and businesses are obliged to comply. In fact, there are internet lawyers like the ones from revisionlegal.com who help businesses to be in compliance with CCPA. Their wide range of internet law attorney counsels businesses and individuals in a wide range of Internet-related issues including domain name disputes/theft, copyright and DMCA, and trademark and unfair competition matters, including compliance to the CCPA.
With the description above of what CCPA is, businesses within the scope of the law should comply. Enumerated below are ways where businesses can comply with CCPA:
1. Scope of the Law
Not every organization is subject to the CCPA. The law applies to businesses that have gross annual revenues greater than $25 million; those that buy, receive or sell the personal information of 50,000 or more consumers, households, or devices; or businesses that derive 50 percent or more of their annual revenue from selling consumers’ personal information. For-profit enterprises do not necessarily have to be based in California to be subject to the statute.
2. It’s not just IT
Businesses should put together a team comprised of legal, compliance, business, and technology experts. The responsibility of the team is to assess the compliance strategy to address the implications of the CCPA on their business and an impending onslaught of similar legislation expected.
3. Revise Online Policy
Update Website and employee privacy policies to include descriptions of the categories of information collected, third parties with whom data is shared, and rights available to individuals under CCPA. It is also recommended to take a look at your internal (non-customer-facing) privacy policies and procedures as well. The policy should be drafted with the specific needs and uses of the organization in mind to ensure that it is implementable, useful, and enforceable.
4. Document “reasonable security” Practices
Covered businesses should review information security processes against established data security standards such as the National Institute of Standards and Technology, International Organization for Standardization, or CIS Critical Security Controls. Companies should ensure sufficient documentation of those controls is in place to demonstrate ‘reasonable security’ in the event of a data breach.
5. Establish a subject data request process
Companies should be prepared to intake and effectuate consumer access and deletion requests through a robust data request process.
Since data privacy is a primary care-about with our ever-evolving world ruled by technology, more and more individuals are taking active strides to make sure that their personal data, especially in the consumer industry, are safe and secured. If you are a business governed by this new law, be proactive and follow the steps above to ensure your business is in compliance. If you need help, seek consultation from legal experts.