Cybersecurity and Fraud Protection
How California’s New Data Privacy Regulations Could Impact Your Business
California’s new landmark privacy law raises the bar for collecting and processing personal information from California consumers. Learn how this law impacts companies across different industries—regardless of where they’re located.
California’s comprehensive privacy law went into effect on January 1, 2020. These new requirements could have a significant impact on your business if it collects personal information about California consumers, regardless of where your business is located.
The California Consumer Privacy Act (CCPA) covers every resident in the state of California. Nearly a dozen states have introduced similar privacy bills that use all or some version of the CCPA as a template for requiring how businesses should protect consumer data.
The CCPA applies to any company based or operating in California that makes at least $25 million in annual revenue; collects data on 50,000 or more consumers, households or devices; or makes at least half of their money from selling consumers’ personal information. More importantly, the CCPA includes broad definitions of consumer personal information, including predictive information on a person’s behavior and identifiers such as IP addresses, geolocation and biometric data.
“We expect more states to introduce legislation that mirrors all or a significant part of the CCPA’s requirements, which will change the landscape for data privacy and protection for many companies as we know it,” said Steve Turk, Chief Data Officer for Commercial Banking.
California recently topped the U.K. as the world’s fifth-largest economy, which means the CCPA’s scope is massive given the number of companies that are either headquartered or have operations within the state—or do business with California consumers.
Many organizations want a uniform approach to data privacy regulations that includes all U.S. clients and customers rather than laws that vary state by state. However, the U.S. does not yet have a general federal consumer privacy law. As such, it’s important to understand the scope and application of state privacy laws—such as the CCPA—that may impact your operations.
How the CCPA Works
Wherever your business is headquartered, if your company is subject to any of the CCPA’s provisions, your California consumers have the right to request that your company disclose the personal data you keep on them. They also have the right to ask your company to stop selling that data to third-party advertisers or other entities through the “Do Not Sell My Personal Information” website link. Consumers may request to see all the personal information collected by a business and you have 45 days to disclose and deliver. Companies subject to the CCPA must provide consumers with a method for submitting these requests, which in some circumstances may be a link on the company’s website.
In addition, the CCPA allows individuals to recover damages from a company that fails to maintain appropriate security procedures and practices for dealing with personal information if the company suffers a data breach.
Even if your organization currently doesn’t fall under any provision of the CCPA, it’s a good idea to start building compliance into your overall privacy, cybersecurity and recovery/resiliency plans, Turk said.
“You should know where your data is stored and protect it,” Turk said. “This includes employee personal information that your human resources department would collect, such as names and Social Security numbers. It also extends to client data that you store, such as account numbers.”
Turk added, “This changing regulatory environment provides both an incentive and a good opportunity to assess potential risks within all your data systems so you can prioritize actions now.”
5 Ways to Manage Your Data
Maintain good cyber hygiene protocols around sensitive data, such as the principle of least privilege, which limits data access to personnel who need to know the information to perform their job function. These actions will help minimize breaches from cyberattacks, fraud attempts or employee-caused events. Your organization should also consider all relevant legal or regulatory requirements as part of this process. In addition, you should:
- Know your data
Knowing exactly what client or customer data your company collects and uses.
- Know where your data is stored
Digital and paper data storage may go through multiple iterations during the life of a business. Know how to locate it.
- Confirm who has access
Identifying staff members with full or partial access to your data is essential for designing safer systems.
- Limit file sharing
Investigate the latest tools to prevent file sharing that can lead to costly data breaches.
- Train your team
Data security begins with proper staff practices that are regularly updated and reinforced.