Concerned with these privacy challenges, in 1995 the European Union led the world in electronic privacy by adopting the European Data Protection Directive. This was replaced in 2018 with the General Data Protection Regulation (GDPR) – which as many of us know, applies to any organization that collects the PII of Europeans.
In 2018 the California legislature passed the California Consumer Privacy Act (CCPA) which went into effect on January 1, 2020. Then, in a bid to strengthen the law, privacy advocates received a major victory when the California Privacy Rights Act (CPRA) was passed in November 2020. Aside from a few provisions, the CPRA goes into effect in 2023.
The CCPA established the requirement for businesses to provide consumers certain notices explaining their privacy practices and gave consumers more control over the personal information that businesses collect about them, including the rights to (among others):
• Know what PII a business collects, how it is used and shared;
• Delete the PII collected from them; and
• Opt-out of the sale of their PII.
For-profit businesses are covered by the CCPA if they meet any of the following:
• Greater than $25 million in annual revenue,
• Buy, sell or receive over 50,000 personal records,
• Receive at least 50% of their annual revenue from selling personal information.
The new CPRA, however, changes the record threshold to 100,000 records and now includes revenue generated from sharing personal information. The CPRA also adds the new category of sensitive personal information.
Included in these laws are the right to have information protected at a commercially reasonable level. Without such protection, both California privacy laws provide for penalties and an ability for individuals to receive compensation.
Business owners may need to adhere to multiple privacy laws which are based on the residence of the individual whose protected data you hold, not only where you do business. Additionally, privacy legislation is being actively discussed nationally, so the principles discussed here may soon apply to many more companies.
One way or another, you are likely to be covered by privacy laws either now or soon. So, it’s time to start thinking about what you need to do.
1. Understand your data. It’s critical to know what data you have so you can know how to protect it and how to protect the rights surrounding that data.
3. Get your information security in order. Both California privacy laws offer defenses to enforcement if you have a commercially reasonable level of Information Security in place. If your firm is large, speak with your Information Security experts to ensure that your practices comply with the law. Otherwise, make sure you have retained qualified Information Security experts to ensure you are protecting your organization. Remember Information Technologist are not Security experts, and you need to consult Information Security subject matter experts who understand what it means to have commercially reasonable Information Security.
4. Develop operational privacy management procedures. Built upon sound privacy policies, effective operational procedures ensure your ability to comply with privacy laws and other contractual responsibilities.
Privacy laws are here and will only get stronger. From a privacy perspective, you must ask: Are we employing commercially reasonable levels of privacy and protection now and if new laws are passed – will we still be covered? If the answer to either is ‘no,’ it’s time to get ready.
David Lam, CISSP, CPP, is partner and CISO at Miller Kaplan. Learn more about the firm’s information security services at millerkaplan.com.
Return To Index
For reprint and licensing requests for this article, CLICK HERE.
Stories You May Also Be Interested In
- CUSTOM CONTENT: California’s Sweeping Consumer Privacy Law - What companies need to know to mitigate their risk.
- Data Privacy, Retail & Consumer Goods: A Roundtable Discussion
- Leaders in Law 2018: California Consumer Privacy Act and Its Impact
- Leaders in Law 2018: The California Consumer Privacy Act: What Businesses Need to Know
- 2020 Economic Forecast & Trends: CCPA - The Next Horizon for M&A Deals
- 2020 Economic Forecast & Trends: With 2020, Businesses Face New Restrictions for Using California Consumers’ Personal Information
- Leaders in Law 2019 Nominees: Why Going to a Lawyer for Privacy Compliance Advice is a Good Idea
- 2020 Economic Forecast & Trends: Glutton for Punishment, You Are