AB 375, or the California Consumer Privacy Act (CCPA) of 2018, was signed into law by California Governor, Jerry Brown, on June 28, 2018 and is recognized as one of the toughest privacy laws in the U.S. The statute requires companies to disclose to California residents what information is being collected on them and how it will be used. Companies have 18-months to prepare for this new law to go into effect; it’s set to begin in January 2020.
To fulfill the regulation’s stipulations, any business in the U.S. that has the personal data of a California resident will have to identify all categories of the data which they possess. Further, these organizations must be able to provide a full report — within 45 days of user request — of what exactly they do with this data. This includes not only the specific categories of data, but also why they possess it and who they sell it to or share it with. For many organizations already complying with the General Data Protection Regulation (GDPR), which went into effect on May 25, 2018, this new CCPA law is nothing to be concerned about. The requirements of GDPR are very similar to those of the CCPA, so there is no action to take beyond what your organization is already doing from a compliance standpoint.
However, if your U.S.-based organization has not taken GDPR seriously or does not believe it will impact your business, then this new California law might as well be coming to you surrounded by flashing lights. As we’ve seen with GDPR, and other similar legislation like The Australian Data Privacy Regulations, data privacy laws and requirements are spreading globally. If any of the current laws haven’t already impacted you, similar statutes certainly will in the future as concern for data privacy continues to spread across the U.S. and abroad.
So, what should you do if your business is not prepared for data protection regulations already? Here are a few tips to get started:
Map data workflows by charting what data is incoming and outgoing. Through doing this, you will be able to granularly account for specific data types. This will help to provide a holistic view of your organization’s data, so that you will be able to monitor sensitive information where any legislation might apply.
Work closely with your vendors to ensure coordination compliance. If you work with third parties that process data on your behalf, it’s crucial you ensure that the appropriate terms are in place to comply with GDPR, CCPA and other legislative statutes to safeguard your data.
Take time to learn about your customer’s compliance requirements. It’s not only important to remain compliant to any legislative requirements, but it’s equally essential to identify your customer’s concerns. Consider using surveys and focus groups to learn their compliance needs. Afterwards, if you find that it’s required, refresh any necessary contractual obligations to align with regulations.
Understand the extent of your data protection responsibilities. Compartmentalize data based on whether you are processing it, transferring it and where you would be considered a controller of data. From there, you can segregate the requirements put forth in legislation to determine the extent of your responsibility.
Fine-tune your internal policies and processes. Develop an internal process and solution to meet your customers’ needs that also complies with the intent of the framework of the regulation. Also devise a public compliance message such that your customers will be able to find a definitive compliance statement.
As these laws are still new, remember to stay on your toes to best ensure you remain compliant. The regulations themselves continue to evolve and proliferate, so make sure your organization is flexible, appropriates funds and can make adjustments as necessary. Additionally, it is crucial that you closely monitor how the language of these legislative statutes are interpreted in the context of the data protection services that your organization provides. This way, you will be able to ensure continued compliance in the wake of these new regulations no matter what.
The bottom line is this: take action immediately. Most current and up-and-coming regulations are very similar, so utilize these common frameworks and enact the tenants of legislation such as GDPR, The Australian Data Privacy Regulations and CCPA so that you will be ahead of the game once these requirements spread to include your business.