California Consumer Privacy Act (CCPA), GDPR and the move to strengthen consumer privacy rights
The much anticipated California Consumer Privacy Act (CCPA) took effect Jan. 1 of 2020, with enforcement beginning on July 1, 2020.
The new law recognizes several rights that consumers have regarding their personal data. According to the law, consumers have the:
Right to Know: Consumers have the right to be informed about a company’s collection, use, disclosure, and sale of personal information and to be informed of the specific pieces of their personal data held by the company.
Right to Delete: Consumers have the right to request that a company delete their personal information, as well as direct any service providers to remove their personal data.
Right to Opt-Out: Consumers have the right to tell a company that sells their personal information not to sell it. For minors between the ages of 13 and 16, a company cannot sell their personal information without authorization. For children under 13, permission to sell personal information must come from a parent or guardian.
Right to Nondiscrimination: A company cannot discriminate against a consumer for exercising any of these rights. For example, a company cannot deny goods or services, charge different prices, or provide a different level or quality of service to the consumer.
The law applies to for-profit businesses that collect California residents’ personal information and carry out business in the state. Small businesses, non-profits, and government agencies are exempt from the law’s mandates.
To be covered, a business must meet one of three additional requirements:
- Have annual gross revenue of more than $25 million;
- Receive or disclose personal information of 50,000 or more residents, households, or devices annually; or
- Get 50 percent or more of their annual revenue from selling personal information on California residents.
Personal information covered by the CCPA includes personally identifiable information, biometric information, internet activity information, geolocation information, professional or employment information, education information that is not publicly available, and inferences drawn from the above information.
California can assess fines for noncompliance: $2,500 for an unintentional violation and $7,500 for an intentional violation. Also, an individual can file a lawsuit against a company seeking actual damages or statutory damages ranging from $100 to $750 per consumer per violation against a company.
Companies have 30 days to address the alleged violation before fines or liability kick in.
How does CCPA differ from GDPR?
CCPA is similar to the EU’s General Data Protection Regulation (GDPR) by giving individuals more control over their private information.
The GDPR, which took effect in 2018, requires all EU countries to enforce uniform data privacy rules designed to safeguard personal information and provide a means for individuals to access, control, and delete their personal data.
Like the CCPA and California residents, the GDPR applies to companies that handle data on EU residents, regardless of where the company is based. GDPR also has stiff fines for violations, up to €20 million ($22 million) or 4 percent of global revenue, whichever is higher.
CCPA and GDPR give the individual the right to delete personal data held by a company, including in data backup systems.
One significant difference is that EU residents need to give prior consent before their personal data can be collected. In contrast, California residents do not have to give consent, but they can opt-out of data collection. Under CCPA, a company or website does not need prior approval from individuals before selling their data to a third party.
CCPA and data archiving, search, and retrieval
What does the CCPA mean for data archiving and backup, as well as data search, retrieval, and deletion?
An essential aspect of the CCPA for data archiving and backup is that a company needs to provide a procedure for retrieving and deleting personal data if the consumer requests it.
The CCPA enables a consumer to request access to personal information covering the 12 months prior to the date of the request.
Companies need to have a plan to handle consumer requests to retrieve and delete information in data archives. Finding and removing the personal information could be a challenge if the data is stored in multiple locations, if there is a large amount of data to search through, and/or if the timeline is tight for deletion.
Under the CCPA, businesses have 45 days to comply with a consumer request to access or delete personal information. The deadline can be extended for an additional 45 days if the company notifies the consumer and provides and a reason for the delay.
If the consumers’ personal information has been archived or is stored in a backup system, a company can delay compliance until the archived data or backup system is next accessed or restored to active status.
In addition, a business needs to maintain records of consumer data requests and company responses for at least two years.
Businesses should update their data retention policies and procedures, as well as their information security and data privacy policies. They should also confirm that their data search and retrieval procedures can handle consumer data deletion requests within the required 45-day deadline.
Data mapping exercises should be conducted for backed-up data because a company needs to know where backed-up personal information is stored.
Dropsuite’s cloud-based mail archiving and backup solution can help with CCPA compliance in a similar way that it has helped with GDPR compliance. Our product enables a data protection officer (DPO) to assign roles and review personal data requests, as well as review, flag, export, or delete data. Also, a DPO can assign and delegate internal and external access permissions for data discovery and analysis by auditors.
We provide a range of search capabilities to shorten the data discovery process. Our solution also gives a DPO the ability to export a copy of data for the requester or to delete any customer data upon request. A DPO can retain data for six months or more on individual or bulk messages and add legal holds on individual or bulk messages indefinitely.
Our solution helps organizations store, safeguard, manage, and discover data from the most popular email systems, including Microsoft Exchange Online, Hosted Exchange, G Suite Gmail, and IMAP.
Dropsuite simplifies compliance with CCPA, GDPR, the Health Insurance Portability and Accountability Act (HIPAA), and other regulations. Visit us at https://dropsuite.com/solutions/compliance/ to review our compliance coverage.