NVIDIA x Sia Partners Exclusive Event
How to be prepared before 2020?
Driven by the continued global rise in consumer data breaches and growing privacy concerns, the State of California recently passed the California Consumer Privacy Act of 2018 (“CCPA”). The CCPA represents the most demanding customer data privacy statute enacted to date at the U.S. state level. Businesses like financial institutions will need to consider existing privacy rules in the U.S. when assessing the potential impact of CCPA.
The CCPA is similar to the recent European Union’s General Data Protection Regulation (“GDPR”) that came into effect in May 2018. While CCPA and GDPR have differences, both laws provide consumers a greater ability to control their personal information. The CCPA also imposes requirements and prohibitions on businesses that collect or sell this information.
Although the CCPA became California state law on September 23, 2018, the Attorney General’s enforcement of the CCPA goes into effect six months after publication of the implementing regulations, or July 1, 2020, whichever comes first. Sia Partners will continue to monitor and report on regulations issued by the Attorney General of California.
The CCPA is designed to protect California residents’ personal information from the threats of unwanted disclosure, sharing, or sale. A key objective of the CCPA is to prevent situations like the recent event involving Cambridge Analytica gaining access to personal information of approximately 87 million Facebook users without their consent.
Even if the CCPA is California law, it impacts businesses, independent of where their operations are located, that collect, share or sell personal information of California residents. These individuals could be consumers as well as potentially employees or independent contractors. According to experts in a recent article published on Bloomberg BNA, the CCPA will apply to over 500,000 businesses servicing approximately 40 million California residents. This law is the first one of this kind in the US, but other states could follow this trajectory in the new few months and years.
Companies are investing heavily in Digital technologies and Big Data. The volume of personal information collected has been increasing significantly in the last few years and will continue in the upcoming years. Indeed, the collection of personal information has become a significant asset for companies as part of cost reduction, customer journey personalization and broad competitiveness.
Personal information is used by numerous departments and can be collected through various channels and technologies.
>> The protection of personal information is paramount and the rights granted to individuals reinforced.
The CCPA will confer new rights upon Californian residents, which have to be notified by businesses to the consumers and addressed in policies. This is going to introduce new cross functional processes through business departments.
The right of Californians to know (a) what personal information is being collected about them and (b) whether their personal information is sold or disclosed and to whom.
The right of Californians to access their personal information held by businesses or their third parties.
The right of Californians to request businesses to delete their personal information, subject to certain exceptions like the need for the business to comply with legal obligations.
The right of Californians to prohibit the sale of their personal information (“opt-out”) and the need to authorize such a sale for individuals 16 years-old or younger (“opt-in”).
The right of Californians to not be discriminated against when exercising their privacy rights.
The right of Californians to seek statutory damages from businesses in case of violations. Statutory damages range from $100 to $750 per consumer per incident or actual damages, whichever is greater.
To help enforce these rights, the CCPA imposes requirements and prohibitions on businesses that collect or sell personal information:
Disclosure Requirements: Upon receipt of a verifiable consumer request, businesses will be required to disclose:
The categories and specific pieces of information that they collect about the consumer
The categories of sources from which that information is collected
The business purposes for collecting or selling the information; and
Categories and identify of third parties with which the information is shared.
Deletion Requirements: Upon receipt of a verifiable consumer request, businesses will be required to delete the personal information as long as it does not interfere with the legal obligations of the business.
Opt-out Requirements: Businesses will be required to grant a consumer’s verified request to opt-out from the sale of their personal information.
Opt-in Requirements: Business will be required to seek affirmative authorization for selling the personal information of consumers under 16 years of age.
Discrimination Prohibition: Businesses will be prohibited from discriminating against customers who exercise their personal information-related privacy rights. Businesses will have the ability to offer financial incentives for the collection of personal information.
Businesses first need to assess the CCPA’s applicability to their operations. Find out by answering our questions.
Once the need to comply with some or all of CCPA sections is confirmed, businesses need to assess whether their existing data privacy and information security policies, procedures and practices are sufficient to meet the CCPA requirements.
Our experience working with clients to establish resilient and sustainable data privacy and information security capabilities that are compliant with regulatory expectations demonstrates that the effort can be organized across the following areas:
The success of the CCPA compliance project relies on an organization’s ability to mobilize its workforce and create a long-term solution based on a sound corporate culture and effective governance.
The CCPA impacts businesses, independent of where their operations are located, that collect, share or sell personal information of California residents. These individuals could be consumers as well as possibly employees or independent contractors.
The CCPA also lists a number of exemptions that need to be considered when determining the act's applicability to a business. These exemptions relate to existing U.S. privacy laws. Subject to certain exemptions discussed below, the following decision tree outlines the initial determination of whether CCPA will impact a business:
Even though a business may appear to be covered under the CCPA, there are a number of exemptions that limit the act’s applicability. Covered businesses under existing privacy-related regulations need first to determine the extent to which the CCPA applies.
Entities Covered Under | Do Not Have to Comply with the CCPA for Personal Information Falling into the Scope of: | |||
---|---|---|---|---|
1. CCPA | Non Public Information (NPI). i.e. Financial Information | |||
2. CFIPA | Non Public Information (NPI). i.e. Financial Information | |||
3. HIPAA | Protected Health Information (PHI) | |||
4. DDPA | Personal Information in connection with a motor vehicle record | |||
5. CMIA | Medical Information | |||
6. Common Rule | Information collected as part of trial subject |
GLBA, CFIPA, or DDPA-regulated entities, however remain impacted by the right of action for consumers to seek statutory damages
HIPAA-regulated entities do not have to comply with CCPA if they are a Health Care Provider, Health Plan or Health Care Clearinghouse defined in the Privacy, Security, and Breach Notification established pursuant to the HIPAA
CMIA-regulated entities do not have to comply with CCPA if they are health care providers, health insurers, and individuals or businesses they contract with that have access to medical information, including IT companies (called contractors).
The success of the CCPA compliance project relies on an organization’s ability to mobilize its workforce and create a long-term solution based on a sound corporate culture and effective governance.
Sia Partners has developed documentation, templates, methodologies and tools e.g., gap assessment tool, to assist businesses to comply with the CCPA: