Beginning January 1, 2020, certain businesses that do business in California and collect the personal information regarding California residents will be required to comply with the broad requirements of the California Consumer Privacy Act (CCPA). Businesses that are unprepared to comply with CCPA’s wide-ranging restrictions on the handling of California consumers’ personal information could face significant financial penalties.
Private Right of Action and Reasonable Security
The CCPA not only restricts businesses’ ability to collect and maintain California residents’ personal information. It also provides residents with new rights and a private right of action to bring suit against businesses when their “nonencrypted or nonredacted personal information . . . is subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business’ violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information.”
While “reasonable security procedures and practices” is not defined in the legislation, common information security controls published by the Center for Internet Security Controls would likely be deemed acceptable based on previous guidance from the California Attorney General’s Office.
Other Rights Provided by CCPA
One of the rights included in the legislation is the right to be informed of the categories of personal information that a business collects or otherwise receives, sells or discloses about the individual resident, the purported reason for collecting such data, and the category of partner their personal information has been disclosed to.
Other rights include the right to request the deletion of personal information collected by the covered business in certain instances, and the right to receive that information from the covered business in a user-friendly format.
Are you prepared to receive a California resident’s request to provide them the personal information your business has collected on that resident? How should the acknowledgment of the request be communicated? How should the individual data be transmitted to the consumer? And how would you verify the requestors’ identity, given that your business must respond within a statutory time frame?
All of these questions should be considered from a business-wide and operational perspective since the new California requirements could have a substantial impact on your data collection and marketing practices.