Following the EU’s General Data Protection Regulation (GDPR), which included penalties of up to 4% of a company’s global turnover or 20,000,000 EUR, California has enacted its own regulation, the California Consumer Privacy Act (CCPA).
As a result, organizations with an online presence have been sending out notifications explaining updates to their privacy policies. While these updates are meant to provide peace of mind for the average person, the regulations behind them can be stressful for organizations doing business over the internet. Understanding the CCPA and its implications is key.
What is the CCPA?
The CCPA creates new consumer rights related to accessing, deleting, and sharing personal information that is collected by businesses. It gives California consumers new rights, including the right to take legal action against companies that violate the Act’s guidelines.
Under the CCPA, California consumers have the right to know what personal information is being collected, used, shared, or sold. They also have the right to opt-out of the sale of their personal information and to request that businesses holding their personal information delete it.
While the CCPA was enacted in 2018, California’s Attorney General cannot enforce it until July 1, 2020, which helps explain the recent influx of update-to-privacy notifications.
Who has to comply?
If you’re thinking that your organization is exempt because it doesn’t operate in California, you could be wrong.
The CCPA applies to any business that collects personal data from California residents and meets one of the following thresholds:
- Has gross annual revenues over $25 million
- Buys, sells, or receives the personal information of 50,000 consumers, households, or devices
- Derives 50% of its annual revenue from selling consumers’ personal information.
What does it mean for organizations that need to comply?
If your organization meets the requirements and is subject to the CCPA, you must create procedures for responding to requests from consumers who want to know what information you’re collecting, opt-out of your data collection processes, or request that their personal data be deleted.
This includes providing consumers with “Do Not Sell My Information” links on your website or mobile apps. And the Act requires that organizations respond to requests within a specific time frame.
Organizations will also be required to disclose any financial incentives around retaining or selling personal information and to explain how they calculate the value of the information.
As part of the compliance process, organizations will have to maintain all records relating to requests, including responses, for 24 months.
What if we don’t comply?
Under the CCPA, both individual consumers and California’s Attorney General have the right to take action against organizations that do not comply.
According to the CCPA, individual consumers can—under certain circumstances—bring action if a business experiences a data breach. These circumstances include cases where there has been clear unauthorized access, theft, or disclosure of non-encrypted or non-redacted personal information.
The Attorney General can take civil action if an organization remains non-compliant 30 days after being notified. The fines resulting from that action are calculated on a per-record basis and can be anywhere from $2,500 for a non-intentional violation to $7,500 for an intentional violation.
But we already comply with the GDPR
If you think that your organization is automatically compliant with the CCPA because you’re already GDPR-compliant, you could be wrong here too.
The two are separate legal frameworks and focus on different privacy concerns. Where the GPDR goes further in protecting against data breaches, the CCPA takes a broader view of what constitutes privacy.
One main difference between the two is how they define personal information. While the definition of personal data in the GDPR explicitly refers only to individuals, the CCPA expands that definition to include household information.
Under the GDPR, personal data is any information directly or indirectly relating to an identified or identifiable natural person. Under the CCPA, personal information is information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked directly or indirectly with a particular consumer or household.
This means that, for example, while both the GDPR and CCPA require that organizations develop processes for responding to requests for access to personal information, the process itself will need to be reviewed because the CCPA operates with a different definition of personal information.
In both cases, the challenge is how to locate and protect private data.
Steps toward compliance
Now that you’ve determined that your organization has to comply, what do you do?
Ensuring compliance involves several steps and requires the participation of different departments within your organization, including legal, IT, operations, and security.
1. Review your organization's privacy policies and notices
The CCPA first requires you to be transparent about your processing activities, including being clear about what categories of personal information you are collecting and the purposes behind the collection.
Second, it requires that you inform your customers about the new rights afforded to consumers under the Act. To comply, you may have to update your privacy policies.
2. Implement protocols that ensure consumer rights
These rights include the right to access, the right to know, the right to delete, and the right to opt-out. This means that you must make it possible to identify, find, and remove personal information within your systems.
3. Update security practices
The CCPA requires that organizations protect personal data proactively. The Act allows organizations to take a risk-based approach to assess threats to data, which then allows them to rank vulnerabilities and address high-risk gaps first.
This can be challenging for many organizations as the expense of addressing higher-risk gaps might mean putting off mitigating medium or low-risk gaps as a cost-saving measure. This does not reduce the potential fines or legal actions made possible under the CCPA.
How can Genetec help?
When you consider the amount of personal information being collected by physical security systems, the potential challenges associated with CCPA-compliance can seem daunting. We understand this, and we’re already set up to help. Protecting privacy is one of the key pillars of our work.
Our solutions are developed using a privacy-by-design approach. This means that privacy protection is a fundamental part of the design process and is built in from the ground up.
When it comes to protecting personal information, our solutions help you ensure that only authorized personnel have access to data.
We have built-in privacy protection that protects individual identities within a camera’s field of view by automatically redacting video. And our solutions also help you to securely collect, manage, and share data.
These are all important steps for protecting information and for responding to consumer requests to know what is being collected and why.