How California’s Data Privacy Regulations Could Impact Your Business 

California’s comprehensive data privacy laws could have significant impacts on your business if it collects personal information about California consumers, regardless of where your business is located.

The California Consumer Privacy Act (CCPA) together with the amendments made by the California Privacy Rights Act (CPRA),  covers every resident in the state of California. Nearly a dozen states have introduced similar privacy bills that use all or some version of the CCPA as a template for requiring how businesses should protect consumer data.

The CCPA applies to any company based or operating in California that makes at least $25 million in annual revenue; collects data on 50,000 or more consumers, households or devices; or makes at least half of their money from selling consumers’ personal information. More importantly, the CCPA includes broad definitions of consumer personal information, including predictive information on a person’s behavior and identifiers such as IP addresses, geolocation and biometric data.

“We expect more states to introduce legislation that mirrors all or a significant part of the CCPA’s requirements, which will change the landscape for data privacy and protection for many companies as we know it,” said Steve Turk, Chief Data Officer for Commercial Banking.

California recently topped the U.K. as the world’s fifth-largest economy, which means the CCPA’s scope is massive given the number of companies that are either headquartered or have operations within the state—or do business with California consumers.

Many organizations want a uniform approach to data privacy regulations that includes all U.S. clients and customers rather than laws that vary state by state. However, the U.S. does not yet have a general federal consumer privacy law. As such, it’s important to understand the scope and application of state privacy laws—such as the CCPA—that may impact your operations.

How the CCPA Works

Wherever your business is headquartered, if your company is subject to any of the CCPA’s provisions, your California consumers have the right to request that your company disclose the personal data you keep on them. They also have the right to ask your company to stop selling that data to third-party advertisers or other entities through the “Do Not Sell My Personal Information” website link. Consumers may request to see all the personal information collected by a business and you have 45 days to disclose and deliver. Companies subject to the CCPA must provide consumers with a method for submitting these requests, which in some circumstances may be a link on the company’s website.

In addition, the CCPA allows individuals to recover damages from a company that fails to maintain appropriate security procedures and practices for dealing with personal information if the company suffers a data breach.

Even if your organization currently doesn’t fall under any provision of the CCPA, it’s a good idea to start building compliance into your overall privacy, cybersecurity and recovery/resiliency plans, Turk said.

“You should know where your data is stored and protect it,” Turk said. “This includes employee personal information that your human resources department would collect, such as names and Social Security numbers. It also extends to client data that you store, such as account numbers.”

Turk added, “This changing regulatory environment provides both an incentive and a good opportunity to assess potential risks within all your data systems so you can prioritize actions now.”

5 Ways to Manage Your Data

Maintain good cyber hygiene protocols around sensitive data, such as the principle of least privilege, which limits data access to personnel who need to know the information to perform their job function. These actions will help minimize breaches from cyberattacks, fraud attempts or employee-caused events. Your organization should also consider all relevant legal or regulatory requirements as part of this process. In addition, you should:

1. Know your data 
   Knowing exactly what client or customer data your company collects and uses.
   
   
2. Know where your data is stored 
   Digital and paper data storage may go through multiple iterations during the life of a business. Know how to locate it.
   
   
3. Confirm who has access
   Identifying staff members with full or partial access to your data is essential for designing safer systems.
   
   
4. Limit file sharing 
   Investigate the latest tools to prevent file sharing that can lead to costly data breaches.
   
   
5. Train your team 
   Data security begins with proper staff practices that are regularly updated and reinforced.