iQoncept - Fotolia
The California Consumer Privacy Act comes into force in January 2020 and applies to any organisation that does business with California residents.
In this podcast, we talk to Mathieu Gorge, CEO of Vigitrust, about the California Consumer Privacy Act, its provision, how it is similar and how it differs from GDPR, and what organisations need to do to achieve compliance.
Antony Adshead: What is the California Consumer Privacy Act and why does it matter to compliance and storage strategy for organisations in Europe?
Mathieu Gorge: We all know 2018 was a big year for data protection because the General Data Protection Regulation (GDPR) came into force in Europe on 25 May.
But in the US, it was also a big year, because the California Consumer Privacy Act of 2018 was signed into law in June 2018 in California and is coming into effect from 1 January 2020, which is less than a year from today.
So, what are the act’s major provisions and key aspects that you need to be aware of?
First of all, the act gives consumers – defined as natural persons who are California residents – four basic rights with regards to their personal information.
So, the first right is the right to know what the data is that is collected about them, where it is from, what is the source, what it is being used for, whether it is being disclosed or sold to a third party, and who that third party is.
Read more about storage and compliance
- Mathieu Gorge looks ahead to key areas in compliance in 2019, including mushrooming data volumes, GDPR fines and the California Consumer Privacy Act.
- Mathieu Gorge talks you through the key areas needed for compliance in storage of data subjects’ data and how to find it quickly on request.
The second right is a right to opt out of allowing a business to share information with third parties, with some specific restrictions based on the age of the resident.
The third right is the right to have a business delete personal information, with again some exceptions.
And the fourth right is the right to receive equal service and pricing from the business if you exercise your privacy rights under the act, for example, if you ask them to confirm what they’re doing with your data.
Preparing for the California Consumer Privacy Act
Adshead: What do organisations need to do to prepare for the California Consumer Privacy Act?
Gorge: From a legal perspective, you need to start formulating a compliance strategy roadmap before it comes into effect on 1 January 2020.
From the storage and compliance perspective, it is going back to basics, because it means you need to understand the type of data you collect, how you collect it, where you store it, how you delete it and how you get access to it, and therefore you need to map your ecosystem and the type of data you have.
You also need to map the age of the consumers because there are some specific restrictions based on age, specifically some rules around consumers that are less than 16 years of age.
You can certainly re-use all the work that you’ve done for GDPR compliance because some of the themes between GDPR and the California Consumer Privacy Act are very similar.
They both have extra-territorial reach in that they apply outside of their borders, they both provide good privacy principles, they both ask you to know where your data is, to be able to access the data, to be able to store the data in a secure way, and to delete the data if you ask to do so.
Differences between regulations
There are some differences, however, with GDPR. You’re talking about data subjects; their rights are different from the consumers within the act. That said, there is an underlying framework that essentially covers both regulations.
So, there will be fines [resulting from] the California Consumer Privacy Act, and those fines will be applied by the California Attorney General and they can go up to $7,500 for a violation – but also there can be statutory damages that can be between $100 and $750 per California resident per incident. The cost can go up very high, but it’s not defined as a percentage of global turnover as it is with GDPR.
I should also point out there are some questions that remain because, obviously, it hasn’t been applied, there haven’t been fines yet, and even if there are fines, we can expect some of them will go through an appeal process.
That said, the advice would be to start mapping data that pertains to consumers as defined by the act and, if you do, where is that data stored, how is it secured, can you access it, do you have the ability to securely delete it and are you able to demonstrate to the Attorney General that you have a roadmap for compliance?