IDC Names Securiti a Worldwide Leader in Data Privacy
ViewWith the July 1 enforcement date fast approaching, California's Office of the Attorney General (OAG) has finalized the California Consumer Privacy Act (CCPA or the “Act”). Several sections of the finalized Act are critical to compliance with the act to include the following.
A fundamental principle of the Act is the requirement of “...notice, at or before the point of collection, about the categories of personal information to be collected from them and the purposes for which the personal information will be used. This includes the categories and sources of PII collection and a detailed description of any third-parties to which the business will be sharing this Personally Identifiable Information (PII).
Business units may wish to carry out a risk/reward analysis on how sensitive consumers are to the sale of data to certain sectors of third parties. Data collected from consumers may highlight that certain relationships are not financially beneficial to the business/seller.
The regulations allow differential pricing based on the data subject’s decision to disclose their data, provided the business offers such incentives related to price or service differences. Furthermore, under CCPA Sec. 999.307(b)(5), the statement must demonstrate how the financial incentive or price difference is reasonably related to the value of the consumer’s data.
Businesses retain the right under the CCPA to offer financial incentives or price/service differentials if the difference is reasonably related to the value of the data at issue. Once again, documentation is key: “If a business is unable to calculate a good-faith estimate of the value of the consumer’s data or cannot show that the financial incentive or price or service difference is reasonably related to the value of the consumer’s data, that business shall not offer the financial incentive or price or service difference”. Details are available in the text of the legislation. Note that when a business calculates the value of its consumer data, the business must be able to document and substantiate its procedure.
Businesses not providing password protected household accounts must comply with CCPA Sec. 999.318 before fulfilling a request to access or delete household information. Specifically, these businesses must:
Regulations govern the noticing requirements provided to consumers. The most recent changes to the regulations amended the notice requirements to read “be available in the languages in which the business in its ordinary course provides contracts, disclaimers, sale announcements, and other information to consumers in California.’ [emphasis added]. This revised language shows an intent to limit this requirement to languages used by the company in California. Therefore, businesses must review the languages used to engage customers as part of the course of business in California. This review process should include signage at physical locations in the state, including front desks, elevators, and room heating/cooling system instructions.
The Act dictates that ‘A business shall not sell the personal information it collected during the time the business did not have a notice of right to opt-out notice posted unless it obtains the affirmative authorization of the consumer’. Therefore, If a company continues to sell this data to third parties without receiving affirmative authorization, it will be in violation of the act. However, businesses can re-establish the right to sell by notifying the subject of their new privacy policy and acquiring affirmative authorization in the process.
The regulations recognize that due to how records systems were constructed, active deletion of personal information may be difficult or impossible. Therefore the deidentification or aggregation of the consumer’s personal information is sufficient to comply with a consumer request to delete under the CCPA.
These requests are both an exception to this rule and the most common request seen under the law. CCPA Sec. 999.315(f) mandates that businesses must comply with such requests in no more than fifteen (15) business days from the date of the request. The narrow window makes streamlined reporting of CCPA requests across business units essential for response-time compliance.
Businesses are not required to search for personal information if ALL of the following conditions are met:
Therefore, security data such as security-camera footage would not be covered under these regulations. A hotel receiving an information access request from a guest would not have to search its CCTV footage for video of the guest, as long as the hotel notified the guest that such security footage went unsearched because it met all other categories of this regulation.
In sum, businesses should focus on transparency with their customers and follow a risk-based approach on how they collect, processes, and disseminate personal information. The bottom line is, customer personal information belongs to the individual, not the business.
Get all the latest information, law updates and more delivered to your inbox
July 23, 2023
The California Consumer Privacy Act was drafted to protect an individual’s personal data. This Act was designed to make organizations responsible custodians of the...
July 19, 2023
Many business owners, compliance professionals, and IT security staff have been scrambling to deal with the impact that GDPR had when it took effect...
July 18, 2023
In our previous blog post “How to Manage DSARs Under CCPA Efficiently and Effectively” we defined and discussed Data Subject Access Rights or DSARs...
At Securiti, our mission is to enable enterprises to safely harness the incredible power of data and the cloud by controlling the complex security, privacy and compliance risks.
Copyright © 2023 Securiti · Sitemap · XML Sitemap
[email protected]
300 Santana Row Suite 450. San Jose,
CA 95128