California is setting the stage for compliance in 2020 with the enactment of the California Consumer Privacy Act (CCPA).The statute that went into effect on the first of January expands the rights of Californians over their data.
It gives the state’s residents the right to learn what personally identifiable information (PII) companies are collecting; they can also request that their data be deleted and not sold to third parties. Much like what the European Union (EU) did in May of 2018 with the General Data Protection Regulation (GDPR), this law could very well change data privacy in the United States for good.
Although this law was passed in California, many organizations across the nation are already considering legislation of their own so that they can protect their citizens. Additionally, as more than 10% of the nation's population resides in California, chances are that many companies outside of the state do business within it. As such, they are more than likely required to make the changes needed for compliance. CCPA will impact the entire nation.
The GDPR served as a blueprint for the CCPA in that both essentially seek to protect the citizens of their respective territories. Consequently, global organizations that complied with the EU regulation are more prepared for California’s similar regulation.
Personal Identifiable Information
So what personal information does this law actually protect? The CCPA covers all the general information that you’d expect, such as one's name, username, email, phone number, and password. However, it also protects Californians’ digital footprints.This extends the statute’s reach to users’ IP addresses as well as characteristics that are used to identify a person, such as race, religion, marital status, sexual orientation, and U.S. veteran status. But that's not all-- CCPA also protects biometric information such as fingerprints, facial recognition data, browsing history, and location info. Companies must also disclose what information is being compiled as well as offer users the opportunity to opt out.
In addition to the above, parents must now consent to companies selling data to third parties when it pertains to children under the age of 13. This broadens the reach of child protections (such as the Children’s Online Privacy Protection Act (COPPA)) that oversee the accumulation and distribution of children’s data. Californian consumers that have their data privacy rights violated by organizations may sue;the state is allowed to investigate and enforce these rights, as well.
CCPA is a step in the right direction for data protection in the United States. However, it does require that organizations take ample steps to ensure that they are truly protecting personal data. When the right security technologies are not in place, this can be quite challenging.
For more information on how a cloud access security broker can help an organization expedite the CCPA compliance process, download the Bitglass for CCPA Compliance white paper.