In July 2018, California passed a law called the California Consumer Privacy Act, or CCPA. The CCPA regulates how companies handle personal information that belongs to California consumers, but it is not restricted to California companies. The CCPA grants California consumers new rights to access and delete their data while placing restrictions on entities that collect, store, and sell Californians’ personal information.
The CCPA goes into effect on January 1, 2020, and many U.S. businesses that were not susceptible to Europe’s General Data Protection Regulation (GDPR) will have to comply with the CCPA. The International Association of Privacy Professionals (IAPP) estimates that over 500,000 businesses in the United States, including over 100,000 businesses in California alone, will need to comply with the new law.
With the deadline fast approaching, it is important that companies understand what the CCPA requires in terms of them and their employees. We will briefly outline what the law requires for employee training.
Who Needs Training?
Once you have concluded that your business needs to comply with the CCPA, you can divide the steps you need to take into four main parts:
(2) Consumer requests,
(3) Opt outs, and
There are other smaller obligations under the law that apply in specific circumstances, but these four sections cover the majority of the new law.
We are going to focus here on employee training. Under the CCPA 1798.130(a)(6), regulated businesses have an obligation to provide CCPA training to
(1) those employees who handle consumer inquiries regarding company privacy practices as well as
(2) anyone responsible for the business’s CCPA compliance.
An organization’s first step will be determining who needs to be trained in order to correctly fulfill consumer requests governed by the CCPA. Generally speaking, any employee that may have to handle inquiries not just about the CCPA but about the company’s privacy practices need this training.
For many organizations, this means training customer service representatives who handle calls to their toll free lines as well as those who handle responding to digital requests that come in via email or another online process. Because the CCPA is only relevant for California consumers, employees who only deal with consumers in other states would not need to be trained. Some businesses may plan to funnel all requests directly to specific employees and only train that group on the CCPA while training employees outside that group not to answer privacy or CCPA-related questions.
There may be other individuals within your organization who will not be answering actual consumer inquiries but who need to be trained. Any individual responsible for your organization’s CCPA compliance will need training.
Marketing, for example, cannot start an ad campaign with a new outside vendor without putting the correct CCPA contract rules in place for sharing personal data, so Marketing will need to inform IT and the Legal or Compliance Officer in charge of the company’s policies of the new method of data collection. The IT team is likely to be tasked with the actual deletion of data pursuant to CCPA consumer inquiries or creating reports when consumers’ request access to their personal information. Activities from marketing, to sales, to customer service, implicate the collection, use, and storage of data at your organization. Determining which individuals will need to be educated is an important part of establishing a robust compliance program.
What Training Does the CCPA Require?
The CCPA makes business responsible for training their employees on key sections of the CCPA and on how to direct consumers to exercise their rights under those sections. Specifically, employees need to be informed regarding:
(1) the consumer’s right to ask the business to disclose what is being collected and for what purpose (Section 1798.110) ;
(2) the consumer’s right to ask what personal information is being sold or shared (Section 1798.115);
(3) the injunction against businesses discriminating against consumers who exercise their privacy rights under the CCPA (Section 1798.125);
(4) the business’s policy disclosure responsibilities and the rules regulating how it responds to consumer requests (Section 1798.130).
One of the easiest ways to ensure employees can correctly direct consumers is to put into place your CCPA-mandate privacy notice for your website and create an internal compliance policy that is disseminated to all relevant employees.
Relentless Global Privacy Training platform goes live on 1st December 2019 providing a secure online portal ( which can be branded ) delivering your compliance training needs. The platform records all training records, in-course exams and certificate printing. register your interest now https://online.relentlessprivacytraining.com
Relentless CCPA consultancy offers a full service to achieve CCPA compliance for your organisation
AS CALIFORNIA LEADS THE US IN IMPLEMENTING ITS OWN VERSION OF THE GDPR, WE EXPLAIN HOW THE TWO ACTS DIFFER AND WHAT INTERNATIONAL COMPANIES SHOULD KNOW.
Over a year has passed since the General Data Protection Regulation (GDPR) saw the EU hand back control of personal data to consumers. For International businesses during this period, the initial scramble of frantic preparation has gradually given way to greater clarity around the day-to-day implications and implementation of the new rules, how to maintain and provide evidence of processes implemented into everyday operations.
Long before our 2018 deadline, California had already announced its own version of the regulation, known as the California Consumer Privacy Act (CCPA). Its own implementation date of 1 January 2020 now looms, and with less than 3 months to go, it’s crucial to understand how this new state law will impact businesses on both sides of the Atlantic.
Not only is it considered the strictest data protection law in US history, it is expected to set a precedent for similar acts across other states in coming years.
WILL MY COMPANY BE AFFECTED BY THE CCPA?
Regardless of where in the world you are based, if you have a profit-making business with customers or employees in California – and you hold their personal data – then the answer is yes, as long as you meet one of the following criteria:
Have a gross annual revenue totalling over $25 million.
Hold the data of more than 50,000 California residents.
Derive more than half of annual revenues from selling California residents’ personal data.
EXEMPTIONS FROM THE CCPA?
Although the CCPA contains a number of broad requirements, there are certain exceptions to its application that should be noted. Specifically, the obligations imposed by the CCPA do not restrict a Business’ ability to:
comply with federal, state or local laws;
comply with a civil, criminal or regulatory inquiry, investigation, subpoena or summons by federal, state or local authorities;
cooperate with law enforcement agencies concerning conduct or activity that the business, service provider or third party reasonably and in good faith
believes may violate federal, state or local law;
exercise or defend legal claims;
collect, use, retain, sell or disclose consumer information that is deidentified or aggregate consumer information (see above for how “deidentified” and “aggregate consumer information” are defined); or collect or sell a consumer’s Personal Information if every aspect of that commercial conduct takes place wholly outside of California.
A Business also does not need to honour a request to disclose information collected or sold where it would violate an evidentiary privilege under California law. A Business can also provide the Personal Information of a Consumer to a person covered by an evidentiary privilege under California law, as part of a privileged communication.
Additionally, the CCPA does not apply to:
medical information governed by the California Confidentiality of Medical Information Act (CMIA), or protected health information collected by a covered entity or business associate governed by the privacy, security and breach notification rules established pursuant to the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology
for Economic and Clinical Health Act (HITECH);
a provider of health care governed by the CMIA or a covered entity governed by HIPAA, to the extent the provider or covered entity maintains patient information in the same manner as it protects medical information or protected health information under HIPAA and HITECH;
WHAT DOES ‘SELLING’ PERSONAL DATA MEAN?
Selling is defined as disclosing, disseminating, making available or transferring personal data. In its broadest terms, personal data as defined under the GDPR is any information via which a living individual could be identified.
What are the differences between the GDPR and the CCPA?
The CCPA is far from a direct copy of the GDPR – the two differ fundamentally in a number of ways:
OPTING IN VS. OPTING OUT
The GDPR operates on an opt-in basis, where companies must actively request permission from consumers to retain and use their data. Under the CCPA, not only can any of California’s 40 million residents expressly forbid the sale of their personal data, but they can ask a particular company to disclose how their data is being used. That company then has 45 days to produce a report detailing usage of the person’s data over the last twelve months.
PENALTIES FOR BREACHING THE CCPA
Fines differ from the GDPR in not just size but structure. The highest tier of GDPR fine sees companies pay €20 million or 4% of global annual turnover, whichever is greater. Businesses in breach of the CCPA will pay a civil penalty of up to $2500 per violation, or $7500 per intentional violation. Individual consumers may also bring a civil action of $100 to $750 or actual damages, whichever is greater.
COMPANIES IMPACTED BY THE CCPA
As outlined above, only for-profit companies doing business in California and satisfying certain criteria are regulated under the CCPA. The GDPR, on the other hand, applies to organisations of any size, profit-making or not, that process personal data of EU citizens.
THE NEED FOR ONGOING REVIEW
While the GDPR continues to shape new and existing company policies, much of last year’s flurry of activity centred on a single deadline. The CCPA demands immediate action, but also continuous monitoring long after New Year’s Day 2020. Companies will need to track personal data usage on a year-round basis so that the twelve-month record can be provided on request – effectively meaning that data from 1 January 2019 should now be readily available.
Companies will also have to engage in data mapping in order to be able to delete consumer data on request, and continuously evolve their privacy policies according to what personal data they are selling.
What rights do consumers have under the CCPA?
California residents can, once verified, request that a business:
Discloses what categories and specific pieces of their personal data it has.
Discloses the categories of sources from which their data was collected.
Discloses the purpose for which it has collected or sold their data.
Discloses the categories of third parties with whom it has shared their data.
Deletes their personal data in its entirety (subject to certain exceptions).
Does not sell their data (by clicking a “do not sell” opt-out).
The legal requirement to act within 45 days applies to all of these requests.
HOW CAN MY COMPANY COMPLY WITH THE CCPA?
The main ways to comply with the CCPA are, as outlined above, the disclosure and deletion of data upon request. Companies must also obtain the express authorisation of consumers under 16 before selling their data (for consumers under 13, consent must be obtained from their parents).
In addition to this, however, companies must update their privacy policies to include:
A full description of California consumers’ rights under the CCPA.
The categories of all personal data collected and sold by the business in the last twelve months.
The business purposes for which all data is collected.
The categories of third parties with whom all data is shared.
A clear link to the “do not sell” opt-out tool.
Any financial incentives, such as discounts, offered to consumers for permitting the collection or sale of their data.
At least two methods for submitting disclosure or deletion requests, including a phone number and email address.
What are the consequences of failing to comply with the CCPA? As with the GDPR, it’s well worth making sure your business is fully compliant, as the consequences of breaching the CCPA go far beyond the strictly enforced financial penalties. Companies may face further legal action, significant reputational damage and erosion of trust in their business as a direct result of non-compliance.
Next steps If you have any concerns about preparing your business for the CCPA, it’s worth conducting an data discovery and CCPA assessment to see what issues you might need to deal with.
Interested in learning more? Contact us today and we will be very happy to discuss your options.
In September 2018 , California became the first state to pass a law addressing the security of connected devices. The law will go into effect in 2020 and requires that manufacturers of any internet-connected devices equip them with “reasonable” security features. It is a good first step toward addressing the risks inherent in the world’s increasing connectivity.
The legislation predates federal legislation securing IoT devices, which is not the first time that California has led the way on data privacy and security policy; the new law may serve as a template for future legislation. The new legislation has faced both praise and criticism, but as with any policy addressing new technology, it brings up many new — and sometimes difficult to answer – questions, such as the following:
What is IoT security and what are the potential consequences of insufficiently secured internet-of-things devices?
IoT security refers to steps that are taken to secure or enhance the safety of internet-connected devices – everything from Amazon Echo, Google Home and Ring doorbell to internet-connected devices like stoves, refrigerators and thermostats. It can mean anything from requiring a unique password on devices to ensuring that devices use only password-protected internet connections.
There are many consequences to insufficient or nonexistent IoT device security, chief among them being that the devices can be taken over by cyber criminals and used against their owners. For example, internet-connected devices that have cameras or microphones could be used to record or listen to their owners without permission. Additionally, internet-connected devices like webcams, digital video recorders and home routers can be strung together and used in botnets for distributed denial-of-service attacks launched by cyber criminals.
What is the government doing about this?
While several IoT security bills have been submitted in Congress, none has made it to a vote. However, some states like California are implementing bills that include security requirements for IoT devices.
The main provision of the California IoT security law is that “a manufacturer of a connected device shall equip the device with a reasonable security feature or features.” What does “reasonable” security features mean?
The California’s IoT law leaves “reasonable security features” intentionally vague, as what “reasonable” looks like will vary by device. Generally speaking, “reasonable” security measures would include the ability to change the default username and set up a unique password for the devices. For some devices, it could mean the ability to set the device to only allow certain voices or faces to give commands.
Will this law make the IoT secure?
It is difficult to say whether this law, or any law, will make the internet of things secure, because each device has different security vulnerabilities. That said, this bill’s vagueness, especially the password requirements, does not address different authentication methods like PIN’s or facial recognition that are not considered passwords.
What are the benefits and consequences of California passing legislation ahead of the federal government?
Because California’s IoT bill requires manufacturers include specific features when producing these devices, it will likely set off a trend that is followed nationwide. It will be less expensive for manufacturers to produce all of their devices to meet California’s requirements regardless of where they will be distributed than would be for them to produce products exclusively for California. Should this happen, it could negate the need for any type of federal legislation. However, other states or federal lawmakers may enact laws that go further than the California bill. Stronger requirements for passwords and security would require manufacturers to pivot again and would make the California laws obsolete.
What next steps should state and federal legislators take when it comes to data security and privacy?
Lawmakers should continue looking for gaps in security practices and data protections and create legislation that protects users from these built-in vulnerabilities. However, it is important for users and tech companies not to wait for legislation that mandates security measures, but rather begin implementing data protections and security measures proactively.
Relentless CCPA and Data Privacy Services has You Covered
COUNTDOWN TO CALIFORNIA CONSUMER PROTECTION ACT (CCPA)
Inspired by Europe’s General Data Protection Regulation (GDPR), the State of California has set a new precedent with the passage of the California Consumer Privacy Act (CCPA). The major data incidents last year have driven citizens into a frenzy about securing their data, and states have rushed to developing and passing policies and legislation. California has become the first state to pass anything similar to the GDPR in the United States. This, of course, sets the precedent and will likely become the go-to model for other states. If you store or process customer data in your business, then this article is for you. In the coming years, businesses across the United States can expect to see a surge of privacy-based policy both on the state and national level.
CCPA Basics & Clarification
The CCPA was developed based on a previous policy, the GDPR and recent data breaches. As stated in AB-375, in 1972 voters amended the California Constitution to include privacy as an inalienable right. The CCPA expands this to include digital data, stating, “Fundamental to this right of privacy is the ability of individuals to control the use, including the sale, of their personal information.”
The policy itself cites previous attempts to safeguard the privacy of California citizens. However, nothing like the CCPA has been attempted before. The policy also cites the Cambridge Analytica incident, which violated the trust and privacy of Facebook users. Included in section 2 of the CCPA are the following “rights” defined as the ultimate goals of the policy:
(1) The right of Californians to know what personal information is being collected about them.
(2) The right of Californians to know whether their personal information is sold or disclosed and to whom.
(3) The right of Californians to say “no” to the sale of personal information.
(4) The right of Californians to access their personal information.
(5) The right of Californians to equal service and price, even if they exercise their privacy rights.
While these rights are the stated goals of the policy, they do not capture the full requirements and innovation that is within the policy. There is still a need for clarification on some aspects and nuances in the policy, but that is to be expected. Let’s expand on the major provisions of the legislation.
Who is Covered by the Act?
The act covers “consumers,” who are defined under section 1798.140 as natural persons who reside in California. Consumers are now provided rights regarding their “personal information,” which is defined as “means information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” Section 1798.40 then defines what is included under personal information:
“Identifiers such as a real name, alias, postal address, unique personal identifier, online identifier Internet Protocol address, email address, account name, social security number, driver’s license number, passport number, or other similar identifiers.”
“Commercial information, including records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies.”
“Internet or other electronic network activity information, including, but not limited to, browsing history, search history, and information regarding a consumer’s interaction with an Internet Web site, application, or advertisement.”
Professional or employment information
Non-public education information
Metadata, or “inferences drawn from any of the information identified in this subdivision to create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, preferences, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.”
This act impacts all companies who handle this type of data of any California citizens.
Who Must Comply
There has been some confusion over compliance with the popular assumption being that all businesses will have to comply. The reality in the bill could not be more different. According to section 1798.140(1) for-profit businesses who collect and control California residents’ data, conduct business in the state of California, and meet one or more of the following requirements must comply:
Generate $25 million in gross annual revenue or more
Handle data of more than 50,000 people or devices
50% or more of revenue comes from selling personal information
Right to Know
Right to Opt Out
Consumers have the right to opt-out of their information being sold. It is this provision that may cause some disruption for companies with models similar to Facebook or Google. For consumers under the age of 16, businesses cannot sell their data without written opt-in from the consumer or their parent.
Right to Delete
Consumers have a right to deletion; however, there are some important exceptions to this rule. Business do not have to comply with a request for deletion if there is a need to maintain the data in order to:
Complete a transaction between the consumer and the organization
Maintain adequate cybersecurity or to prosecute attackers
Repair errors for service functionality
Exercise free speech
Comply with chapter 3.6 of the California Electronic Communications Privacy Act
Ensure the success of public or peer-reviewed scientific, historical, or statistical research in the public interest that adheres to all other applicable ethics and privacy laws.
Enable internal uses of the data in line with expectations of the user based on past relationship
Comply with a legal obligation
Use the data for internal purposes that align with the context of the data provided.
Right to Equal Service
If a business discriminates against consumers for exercising their rights from the CCPA, they will be in violation of the act. Section 1798.125 defines service discrimination as the following:
Denial of goods or services to a consumer
Charging different prices or rates for goods or services, including through the use of discounts or other benefits or imposing penalties
Providing different levels of service quality to a consumer if they express their CCPA rights
Suggesting that the consumer will receive a different price or rate for goods or services or a different level or quality of goods or services
Businesses may also offer financial incentives for the collection, sale, or deletion of consumer data. Consumers must provide an explicit opt-in into such incentive programs. Section 1798.125 also vaguely states that businesses cannot use “financial incentive practices that are unjust, unreasonable, coercive, or usurious in nature.”
What Does Enforcement Look Like?
The CCPA will be enforced by the California Attorney General. The civil penalty for each violation of the CCPA is $7500; however, this includes a 30-day cure period. In addition to action from the state’s Attorney General, consumers also have the explicit right to action under the CCPA. This means that consumers individually or as a class may seek statutory or actual damages if their personal data is exposed, ex-filtrated, stolen, or disclosed due to poor security practices. Statutory damages have a maximum limit of $750 per incident per consumer in a given case.
STEP ONE: UPDATE PRIVACY POLICIES & NOTIFICATION
What categories of personal information are being collected and the purpose of use
Explicitly make clear the categories of personal information collected, shared, or sold
Make clear that consumers have the right to opt-out of the sale of their information
Include all privacy rights that California consumers may now exercise
Due to some differences in rights afforded to the consumer, companies may want to consider having separate policies for California consumers and European citizens. This will help avoid confusion to meet compliance for the CCPA and the GDPR.
STEP 2: BUSINESS PROCESSES & DATA MANAGEMENT
Companies who meet one or more of the requirements of the CCPA will need to keep better track of data their company interacts with. Databases will have to be established to monitor and manage all data processing activities. This extends to internal business processes and any activity that is shared between your business and third parties.
Companies will need to track if the data they are handling with be used for sale at any point. Additionally, companies will need to track what specific categories of data are being shared with third parties. This will overlap with other federal policies such as HIPAA or PCI, which will also need to be identified for exemption from CCPA compliance.
STEP 3: CONSUMER RIGHTS REQUESTS
This is quite possibly the most important aspect of the new policy. Businesses will need to implement protocols to handle all consumer request in regards to their personal data. This means preparing for when a consumer says no to the sale of their data. In another case, a consumer may also say you’re not allowed to disclose their data to any third party. This falls under business processes since any request made by a consumer will impact operations, sales, and marketing. This can be achieved using technology, but management will still need to prepare to process requests while not preventing the overall mission of the organization.
As a reminder, the rights that businesses will need to honour are the following:
Right to Notice
Right of Access
Right to Know
Right to Delete
Right to Opt-Out
Right to Incentive Notice
Right to Non-Discrimination
To ensure you can cover all your bases to make this happen, let’s review how you can achieve the structural capability to do this.
Establish and maintain a database (records system) to monitor all data flows in your organization. Personal data will need to have a primary source that the rest of the organization will use to fulfill CCPA requirements.
Establish a request process in your company for consumers to use. This can be a dedicated web-page for requests to be made, a dial-in number, fax number, or an application.
Establish protocols to authenticate requests. You will need to verify the request is coming from the actual person before you process the request. Additional protocols will need to be established for documentation, response, blocking sale, and deletion. Keep in mind that some requests will not have to be honoured, and if you do deny a request, be sure to specify why based on the CCPA.
Employees will need to be trained on the new processes, and they need to be able to carry out requests correctly.
Synchronise the CCPA database with other data-sets to ensure that consumer records are up to date. The last thing an organization wants is approve a sale of data when a consumer explicitly requests that their data not be sold.
In product development, ensure that consumers do not face a worse experience for simply exercising their rights. Develop incentives for the use and sale of their data, but product/service quality cannot deteriorate because of a rights request.
STEP 4: ADOPT RISK-BASED SECURITY PRACTICES
Both the CCPA and GDPR require “reasonable” security measures. Given the need to protect against data breaches from external criminals and internal trusted associates, a risk-based approach to security is necessary. It is important to go beyond the bare minimum requirements for security that policy often outlines. Threats are always multiplying; however, the vectors of attack remain limited. Risk-based security considers the vulnerabilities of an organization and works to mitigate the risk of an attack in general, regardless of origin. By leveraging advanced data loss prevention technology paired with strong insider threat mitigation practices, companies can ensure a high degree of security than other companies that ignore both of these aspects of security now.
STEP 5: DATA SUPPLY CHAIN AGREEMENTS
While the term “supply chain” is typically used in the context of manufacturing, the idea of a data supply chain is not too far-fetched given the value of data in today’s world. Businesses will need to know the entire lifecycle of the data they collect, process, and use. Third-party data processors whom companies may rely on will need to ensure they are meeting the compliance. This means that companies will need to ensure that contracts with third-party data processes are improved to comply with CCPA requirements.
Be sure to do the following:
Require vendors to have a data inventory database to better manage and process rights requests
Require documentation of processing and a record of right request fulfilment
Require synchronised data mapping standards between yourself and all your suppliers to better manage data
Make sure there is a distinction between the transfer of data for processing to achieve your mission and the transfer of data for a sale.
No matter what, the CCPA will disrupt your current data supply chain in some way. You will want to be prepared for this. Third parties who are processing data may not always be located in the state of California or even in the United States. It is important to make clear to them what is at stake for non-compliance and be sure the processor does not hinder your ability to meet compliance with the CCPA.
What Comes Next
Relentless Provides an Expert CCPA Service find out more now
An important implication to CCPA California Consumer Protection Act law is that it does not limit itself to companies that are headquartered in California.
comparatively it applies to any company that carries out business in the state of California. Additionally, any business that collects personal information, which in many cases is defined in terms much broader than the terms used by GDPR, must adhere to CCPA guidelines.
The scope of personal information covers anything that can be associated with an individual from financial, medical information to internet activity, IP addresses and even inferences that are drawn from the data. Anything that can be associated with or identifies an individual could be covered.
Additionally, the CCPA defines “sale” as any transfer to a third party for consideration. This includes the transfer of information between brands operating under the same parent company. Knowing how consumer data is transferred within your organization will become very important with this law.
WHAT DOES IT MEAN FOR HOSPITALITY?
Hotels today are collecting all kinds of large volumes of personal data that could be sensitive in nature. The CCPA sheds light on how hotels now need to think about how they are managing this data, who has access to it, and who it is shared with: OTAs, car rental companies, travel excursion companies, etc. Hotels need to know where this data goes to better understand if it falls under the CCPA’s term of the sale of information.
Types of Organizations to Which the CCPA Applies:
Any for-profit organization that collects consumers’ personal data, does business in California, and satisfies at least one of the following three requirements:
Has annual gross revenues in excess of $25M
Possesses the personal information of 50k or more consumers, household or devices on an annual basis
Earns more than half of its annual revenue from selling consumers’ personal information
Individuals to Which the CCPA Applies: California residents – including both consumers and employees
MAJOR THEMES OF COMPLIANCE:
Right to disclosure – This is the right to be informed before or the time that personal information is collected, as well as the type of information being collected and why it is being collected. Additionally, consumers under this law have the right to request a data trail of what information was collected about them and how it was used after the fact.
This presents two significant problems for hotels. First, hotels will need to be able to track every data point they have collected on individuals including where the data was sent and how it was used.
With hundreds if not thousands of data points collected on every individual, this is daunting. Second, hotels will be tasked with verifying the identity of the requester to ensure this isn’t a form of fraud.
Right to deletion – Consumers have the right to request that a business delete all of the information they have on file about them. However there are nine exceptions to this right both under GDPR and similarly under the CCPA. Unfortunately, consumers will often try to use this right as a way of abusing the system or creating what they think will be a loophole.to escape obligations example to escape payment for services. such as bat bills, room service, cancelled bookings etc
Right to opt out– This refers to the consumers’ right to opt out of the downstream “sale” of their personal information.
Right to non-discrimination – Businesses can’t deny goods or services to consumers who exercises their right to privacy.
The right to opt out and the right to non-discrimination provides a particularly troubling issue for hotel loyalty programs. In fact it’s impossible to comply, For example, a hotel needs a person’s stay information to be able to give them the benefits that come along with his stay from a loyalty perspective. There is currently an amendment pending that could exclude loyalty programs specifically, but if the amendment doesn’t pass, this could put significant stress on loyalty programs.
What are the penalties ?
There are two possible outcomes.
In the case of a data breach, individuals will be given the opportunity to leverage a class action lawsuit on the basis of statutory damages. This means that consumers will not have to prove they suffered any damages, they will only have to prove their information was exposed and the company did not have reasonable security measures in place. Damages will range between $100-$750 per person per incident. So if 10,000 California residents are impacted by a breach, that’s a minimum of $1 million besides all of the additional costs associated with data breaches.
The attorney general can come after hospitality companies for any breach of the law which will usually result in a fine. The hospitality company will be given 30 days before the fine is imposed to fix whatever the offence was.
Hospitality Sector Vendor Risk
For many hospitality companies, their partnerships with vendor members could pose a significant risk. However, the CCPA offers specific provisions that hotel companies can include in their contracts with service providers so that they are not liable if the service provider misuses the consumer data. This is a protection built into the law.
Our Ten advisory steps hospitality companies could take to minimize their risk. They include:
1) Assess your CCPA compliance
2) Complete CCPA assessments
3) Map the flow of personal data to perform key CCPA tasks
4) Streamline and comply with CCPA consumer rights
5) Meet the “Do not sell my personal information” requirement
6) Enable location specific cookie banners
7) Review vendors for CCPA contract obligation accountability
8) Comply with California data breach notification laws
9) Train employees
10) Enable reporting and metrics; keep evidence of consumer reports
Relentless Privacy and Compliance Services CCPA Service has you covered
How the California Consumer Privacy Act Affects Your Business Everything You need to Know
Did you know that the new California privacy law could have an impact on your business, even if you’re not based in the Golden State? Discover what the CCPA means for you, and for the future of data protection regulations around the world.
The arrival of the General Data Protection Regulation back in May 2018 served as a wake-up call for the rest of the world. No longer could businesses afford to be lackadaisical about consumer privacy or how they manage their data. With widespread implications not only for organisations within the European Union but for those based internationally as well, GDPR prompted lawmakers across the globe to not only take note but take action. One of the first to do just that was the US state of California who, mere weeks after GDPR came into effect, signed into law their own updated data protection rules, known as the California Consumer Privacy Act (CCPA) of 2018. So far, so interesting, but what does any of this have to do with you? After all, your business isn’t based in California, it’s based in another US state entirely, or even in a completely different country.
Does that mean the California Consumer Privacy Act of 2018 doesn’t affect you?
Is it time to stop reading this article and go about your day?
Not exactly. Here’s the truth:
The Consumer Privacy Act Could Impact Your Business
How will the new Consumer Privacy Act affect your business?
At Relentless, we specialise in helping businesses manage their data protection and enjoy frictionless compliance with current legislation in a way that helps them to grow in today’s privacy-savvy culture.
Today, we’ll talk about why the new California legislation could impact your business wherever you are in the world, and offer our expert insights on what you might need to do to ensure long-term compliance.
However, before we get to that, let’s first answer the one question that’s most on your mind:
What is the California Consumer Protection Act 2018?
Signed into law on June 28th, 2018, the CCPA takes its cues directly from GDPR, giving Californians many of the same rights as those laid out in the EU-wide directive. Putting the new bill together, lawmakers wrote:
“California consumers should be able to exercise control over their personal information, and they want to be certain that there are safeguards against misuse of their personal information”.
“It is possible for businesses both to respect consumers’ privacy and provide a high-level transparency to their business practices.”
To ensure that businesses are both transparent and respectful when it comes to consumer privacy, the new act gives those consumers the right to request that a business discloses the following key details
“The categories and specific types of personally identifiable information that it has collected about them.
The types of sources it has used to collect that information.
The reasons why it has collected that information, whether that’s to use it for business purposes or sell it onto a third party.
The categories of third parties that the information will be shared with.
What else does the CCPA say?
Along with making it a requirement to meet those data requests at no cost to the individual, the new law gives businesses several other obligations These include:
Informing people about the categories of personally identifiable information being collected and the purposes that the information will be used before that data is collected or, at the very least, at the point of collection.
Provide the same levels of service and pricing to individuals who exercise their privacy rights.
Being sure not to sell on personal information if an individual has said no to this.
Does CCPA Apply to My Business?
Contrary to what some believe, the California Consumer Privacy Act doesn’t just apply to those businesses based within California. Rather, any business with customers in California can be affected if that business meets the following three criteria:
The business has annual gross revenues which total at least £25 million
For commercial purposes, the business either buys, receives, sells or shares the personal information of at least 50,000 consumers, households or devices.
Businesses who generate at least 50% of their annual revenues from selling the personal information of consumers.
This includes those businesses who are based in other US states, or even in other countries.
The immediate and long-term impact of CCPA
So, with all that being said, how exactly does CCPA affect your business? The most obvious answer is this:
If your business meets any of the above criteria, then you’ll need to be sure you’re fully prepared and fully equipped to deal with the deluge of data requests likely to come your way.
Most experts predict that Californians are going to be quick off the mark when it comes to exercising their new privacy rights. Requests are likely to come in two forms: Those from citizens who want to know what types of data you hold on them. Those from citizens who want to exercise what is often known as “the right to be forgotten” and have the data you hold about them deleted.
So if you don’t yet have a system in place to respond to those requests, now is the time to start putting one in place. Before you start panicking, however, here’s the good news.
CCPA doesn’t come into effect until January 1st, 2020.
At time of writing, that gives affected businesses a little over a 8 months to get ready. But what about those businesses not immediately impacted by CCPA? What happens if you don’t have customers in California?
Does that mean you can forget all about data protection and carry on as normal? Not quite.
Here’s the thing:
The California Consumer Protection Act of 2018 is only beginning of a widespread shift in privacy culture. Yes, California may be the first US state to adopt a GDPR-like approach to consumer privacy, but they certainly won’t be the last. Georgia has already started working on new privacy laws, and many other US states are expected to follow suit.
In other words, by the first half of the next decade, we should well expect to see GDPR-style regulations become the norm across the United States as well as other non-US and non-EU countries.
So, even if you’re not immediately impacted by CCPA, you’ll still find it beneficial to make changes now and avoid getting caught out when new laws do start to affect you.
How GDPR Compliance Can Help You Prepare for CCPA
Of course, all this begs one very important question: What does your business have to do to get ready for the arrival of CCPA or other privacy regulations that could be implemented in the coming years?
In many cases, the changes you need to make to your systems, processes, or culture as a whole may be minimal, especially if you’ve already taken the necessary steps to ensure you’re fully compliant with the General Data protection Regulation. Remember, CCPA is directly influenced by GDPR just as most new privacy laws are expected to be in the future. So, if you’ve taken the necessary steps as outlined in our GDPR compliance assessment you may well find that you’re already well on your way to CCPA compliance
If not, don’t worry: Help is at hand.
At Relentless Privacy & Compliance we work with businesses across the globe to help them enjoy frictionless compliance with international privacy laws.
From training and consultancy that empowers your employees with the skills and know-how they need to protect your customers’ private information to hands-on support with developing the kind of secure, effective data protection processes that enable your business to thrive in the digital economy, we offer bespoke services tailored to help you achieve your long-term goals.
See our comprehensive CCPA Service to see how we can help you prepare for and achieve CCPA compliance