Are your clients ready for the California Consumer Privacy Act (CCPA)? If not, they’ve got a little less than a year to get there, and you can help them.
What Is the California Consumer Privacy Act?
California recently became the first state in the US to pass comprehensive data privacy legislation. This new law takes effect on Jan. 1, 2020, and it gives California consumers a number of rights over the collection and use of their personal data by businesses or other entities.
Under CCPA, consumers in California have the following rights:
- Consumers are entitled to know what personal information is being collected.
- They have the right to be informed when their personal information is sold or disclosed, and to whom it is sold or disclosed.
- Once informed, consumers may “opt-out,” or refuse to allow the sale of their personal information.
- For consumers under the age of 16, affirmative consent is required. This means that they must “opt-in” before a company can sell their data.
- Companies are required to provide equal service and price to all consumers, even if they exercise their privacy rights.
What Is Considered Personal Information?
In order for businesses to comply with this law, it’s important to first understand what information it covers. According to the California Consumer Privacy Act, “personal information” means any information that could potentially identify someone. If the information relates to that person, describes them, or is capable of being associated with them in any way, it is personal information.
The law lists some examples, including consumer information (such as products they’ve purchased), biometric information, internet activity, and others. See the California Consumer Privacy Act website for a complete list of examples.
What Should Employers Do?
First, each employer needs to determine whether or not they are subject to the California Consumer Privacy Act. Here’s how.
The CCPA applies to your business if:
- You do business in California, collect the personal information of California residents, and determine the purposes and means of processing that information; AND
- You answer “yes” to at least one of the following:
- Do you have annually adjusted gross revenues of more than $25 million?
- Do you buy sell, share, or receive personal information of at least 50,000 California residents, households, or devices?
- Do you get at least 50 percent of your annual revenues from selling the personal information of California residents?
- Do you control (or are you controlled by) a business that meets these criteria?
Steps for Businesses to Ensure Compliance with CCPA:
Talk to all of the employers on your client list about compliance with this new law. If their businesses are affected by the CCPA, they will need to take a number of steps. They have about one year to make necessary changes before the law takes effect in 2020. This could mean significant updates to internal systems and data processes.
If they haven’t done so already, employers who collect, sell, or disclose personal information should purchase cybersecurity insurance. And it would be a good idea to enhance their cybersecurity strategies as well.
In addition, employers should review all of their data policies and third-party agreements to ensure that they are in compliance with the new law.
It is also important to note that California is the first state to pass comprehensive data privacy legislation. That doesn’t mean that businesses in other states are off the hook. Cybersecurity is a growing concern for consumers all over the world. It is likely that other states may follow California’s example and pass legislation of their own, especially now that they have an example to look to. So even if a company is not currently subject to CCPA, they might want to consider updating their cybersecurity practices in preparation for future legislation.
15 Tips to Keep Data Safe
Here are a few tips for good data security practices that employers can use today. Tell your clients that they may want to follow this advice.
- Encrypt your data. You don’t have to be a tech genius to do it. There are a number of plug-ins available that will do the work for you.
- Backup all of your data. This will ensure that you can access your data if a device is lost or stolen.
- Use anti-malware protection.
- Clean old computer hard drives before discarding them so that no one can use them to access your data.
- Don’t use Social Security Numbers or other personal information as account numbers.
- Don’t ask your customers for personal information unless it is absolutely necessary.
- If you do have to ask for personal information, avoid asking in front of other customers or in a place where the information could be seen or overheard.
- If you conduct transactions that involve using personal information, turn your computer screen away from public view.
- Create third-party contracts that ensure that others keep your customers’ information as safe as you do.
- Always install operating system updates. They might be a huge pain, but they often contain necessary security patches.
- Secure your wireless network.
- Turn off your computer when you’re not using it.
- Use a firewall.
- Practice the Principle of Least Privilege. This means that you log in with the least amount of permission necessary to complete a task. For example, even if you have administrator privilege on a particular system, do not log in with your administrator password unless it is necessary for the task you are completing.
- Don’t store passwords with your computer, laptop, or mobile device.
If you have employers on your client roster, help them get ahead of the California Consumer Privacy Act roll out by updating their cybersecurity practices today.