The General Data Protection Regulation, or GDPR, went into effect on May 18, 2018, effectively setting a tone for new regulations to protect consumer privacy. By one standard, GDPR was just in time. The Identity Theft Resource Center reported that exposed consumer data grew 126% in 2018, to encompass 446.5 million “sensitive records.” Business Insider ranked what it called the 21 “scariest data breaches” of the year – with celebrated organizations such as British Airways, Orbitz, T-Mobile, Saks, Cathay Pacific Airways, Facebook and Google+ as their chief targets.
Meanwhile, the California Consumer Privacy Act (CCPA) is set to take effect January 1, 2020 – a crushing deadline for millions of businesses.
While data privacy regulations have focused on holding organizations accountable for breaches of their systems and the Personally Identifiable Information (PII) they hold, what has arguably received much less attention is the rights of consumers to enforce the privacy of their personal data under California Consumer Privacy Act.
A tenet of CCPA is that consumers should feel free to exercise their rights to safeguard their personal data. What’s more, consumers should demand that organizations will be transparent about the usage of their personal data: what information the organization collects, how it is being used, and who it is being shared with.
Now, with California Consumer Privacy Act less than three months away, consumers have time to learn their privacy rights under CCPA. But businesses are in the hot seat, scrambling to become compliant by January 1. A recent survey of 250 privacy professionals at organizations with 500 or more employees revealed that 86% of companies are not prepared for the advent of the CCPA.
Businesses that don’t comply by January 1 may be subject to stiff penalties. California Consumer Privacy Act penalties (issued via civil cases from the attorney general) can reach up to $2,500 per unintentional violation and up to $7,500 per intentional violation. And yet, most organizations face the uphill battle of revamping a number of business practices, but also systems to implement the new rights of consumers.
If a regulation ever demonstrated the primacy of personal data and privacy, it’s California Consumer Privacy Act. Not only that, but CCPA’s definition of personal data is extensive and comprehensive. Personal data, as defined in Section 1798.140(o)(1) includes “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” And CCPA is more stringent, saying that “Californians are not just protected in their roles as consumers, but also as employees, patients, tenants, students, parents, children, etc.”
The act spells out consumer protections in detail: Consumers have the right to:
- Know what personal information is being collected by a business
- Know the business or commercial purpose of collecting personal information
- Obtain a copy of their personal information
- Know if any of that information is being sold, and to whom
- Know categories of third parties with whom personal data is shared
- Opt out of having their information sold
- Take legal action when companies breach personal data
- Have their personal data deleted upon request
While the GDPR penalizes companies for non-compliance as well as data breaches, the CCPA prescribes fines for non-compliant businesses and make them liable to civil class action lawsuits and paying restitution to California residents in case of data theft or a security breach.
With the multiple risks of noncompliance in mind, it may be time to consider automating compliance processes. Platforms for automation can eliminate weeks or months of tedious, error-prone manual processes, and the documentation they produce provides proof of compliance to auditors.
And if you’re feeling the urgency of achieving compliance by January 1, remember that your organization may be subject to two or more regulations. For example, organizations bound by GDPR and CCPR face the complexity of running two compliance programs in parallel. If you have a software platform on which you can run those consistently, you’ve taken the first step towards becoming and staying compliant.
Read our first three blogs on Data Compliance
- Why Enterprises should automate their Data Compliance
- Data Compliance Automation, the key objectives!
- Are GDPR and Data Protection Laws Overwhelming You? Don’t Feel Alone!
Need more information about how Odaseva can help you? Contact our Data Compliance experts: https://www.odaseva.com/contact-us/