Other parts of this series:
- The Challenge and the opportunity of the California Consumer Privacy Act
- Designing a comprehensive data privacy and security program
- Meeting California Consumer Privacy Act requirements with existing capabilities
- Capabilities and controls for a robust data privacy program
- Privacy Regulations: What approaches are emerging from financial services?
- Addressing privacy regulation within a broader “consumer rights” program
The California Consumer Privacy Act of 2018 (CCPA), which becomes effective on January 1, 2020, is one of the most comprehensive and far-reaching new privacy rules.
Privacy rules are proliferating at the international, national and state levels, with regulators seeking not only to protect the privacy and security of consumers’ data, but to mandate that financial institutions and other organizations with access to large amounts of consumer data demonstrate their ability to monitor and defend against the growing threat of cyber intrusion.
From the Fair Credit Reporting Act of 1970 to the Gramm-Leach-Bliley Act (GLBA) of 1999 – and more recently to the European Union’s General Data Protection Regulation (GDPR), which went into effect in May 2018 – these rules have sought to protect consumers’ rights to access their own data, to restrict the use of such data, to correct errors and omissions, and to “opt out” of inclusion in various databases.
The California Consumer Privacy Act of 2018 (CCPA), which becomes effective on January 1, 2020, is one of the most comprehensive and far-reaching new rules. The CCPA is the latest in principle-based privacy rules and regulations addressing data processing, protection, tracking and reporting by businesses, with “business” defined as companies that meet at least one of the following criteria: i) collect and/or sell data to California residents and have annual gross revenues of $25 million annually, ii) that obtain personal information from 50,000 or more California residents, households or devices annually, or iii) derive 50 percent or more of their annual revenue from selling California residents’ personal information.1
Like GDPR, the CCPA requires companies to provide consumers with the ability to access or delete personally identifiable information (PII) or to opt out of relationships without discrimination. CCPA also mandates that companies clarify how they engage with Californians and how they collect, retain and store PII.2
Further dialogue between regulator and industry on the Act and amendments to CCPA is expected before these go into effect, but their enactment presents companies with significant challenges to the way they safeguard consumer privacy rights. Trade associations, companies and privacy groups are gearing up for discussion about U.S. privacy laws, and the Federal and State policymakers and Standards groups are working hand-in-hand to shape a robust, yet practical regulation.3
Our experience with clients – as well as our own research – indicate that data privacy and protection capabilities can provide companies with an opportunity to differentiate themselves in consumers’ eyes. Companies should see data privacy and protection not as another compliance burden, but as an opportunity to build consumer trust and brand loyalty.
In this blog series, we will examine the implications of CCPA within the context of other rules such as GDPR and GLBA and will explore how companies can seize the opportunity presented by a heightened awareness of the need for data security. Our next blog will focus on some of the key elements in designing a privacy program.
To find out more about the CCPA please contact me.
- “SB-1121 California Consumer Privacy Act of 2018,” California Legislative Information, September 23, 2018. Access at: https://leginfo.legislature.ca.gov/faces/billVersionsCompareClient.xhtml?bill_id=201720180SB1121.
- For additional perspective on the topic, please consult the National Telecommunications and Information Administration site at: https://www.ntia.doc.gov/category/privacy. Also of interest is the letter from the Business Roundtable to the U.S. National Telecommunications and Information Administration available here: https://www.businessroundtable.org/business-roundtable-letter-on-developing-the-administrations-approach-to-consumer-privacy.