Browsing through our series of blogs, we hope you now have better idea of what the California Consumer Protection Act of 2018 (CCPA) is and most likely had the opportunity to determine if this applies to your organization.
As you will have noticed, the CCAC is particularly vast and resembles what the General Regulation on Data Protection (GDPR) inside and outside the European Union; CCPA will affect (and already does) organizations in California and beyond.
All over the world, companies that process the personal information of California residents will need to implement and enforce appropriate measures to comply with the requirements of the CCPA and its regulations.
To ensure compliance, your organization must, inter alia, begin with:
R Simplify your data mapping exercises;
Update your employees' policies and double-check the contracts of your HR service provider.
Reevaluate your processes and systems. and
Continue to monitor the evolution of the legal situation.
A simple first step in assessing the impact of CCAC on your organization is to start at the very beginning with questions such as:
Do you have Personally Identifiable Information (PII)?
Why do you have it?
How do you collect it?
Where is it stored?
How long do you keep it?
How do you keep it safe?
Who do you share it with?
What transfer mechanism do you use?
It is highly likely that you have already gained some experience in data mapping as part of the PEM compliance process, but you can not fully rely on your training exercise. RPG to understand your risks and your risk mitigation strategies. We discussed the differences between the GDPR and the CCPA in a previous blog post . In particular, the definition of personal information by the ACCP (and categories of personal information) is a little wider than that of personal data by the GDPR. For example, the browsing history and search history also constitute personal information, as well as information about devices and a "home". You must also distinguish between the sale of personal information and the disclosure of personal information for commercial purposes. Your new ACCP readiness data card must take into account these differences and meet the requirements of ACCP's "look back" (which requires a record of collected personal information before 1 January 2020). It's often a good idea to incorporate the data mapping exercise into your organization's privacy philosophy to ensure it is always up-to-date.
Although data mapping exercises often take a long time in the beginning, they are critical to your organization's ability to respond to requests for access, portability, and deletion of data and to ensure respect for the CCAC.
Update of Employee Policies
It is not entirely clear if ACCP applies to employee data collected by employers in the US. employment framework of the individual. The CCPA is supposed to apply to consumers. However, the definition of consumer includes "a natural person resident in California", which makes it unclear whether an employee located in California would be protected by collecting his employment data in his role as an employee. According to some of the acts prohibited under the CCPA, if a consumer refuses to allow the collection of their information (for example, refusing to deliver goods or services or charging different prices for goods), there is reason to believe that This does not apply to the employer's collection of employees' personal data in their role as employees. At present, the California Attorney General is holding six rule-making workshops that could provide more detail on this issue.
If it is established that it covers this type of data, employers should focus on data collected which is not already collected but which is not already excluded by the CCPA or pre-empted by federal law. For example, the CACP exempts benefit plans subject to HIPPA. ERISA (Employees Retirement Income Security Act, 1974) may be pre-empted from other employee benefit programs (primarily those related to pension plans). When there is no conflict with the areas mentioned above, the ACCP can cover information on wellness programs, reduction programs and other programs. marginal benefits.
New Processes and Systems
Well-defined processes, systems and employees will allow your organization to manage or not the ability to meet the new requirements of the CCPA. As you refine your processes, you need to involve stakeholders from all departments and clearly define responsibilities for key tasks (for example, obtaining appropriate consent, processing requests, reviewing data card, complying with requests) . Here too, you will find that transparency and accountability are essential.
Although the demands for access, portability and data deletion seem familiar to you, they are taking a new form under the CCPA. Unlike GDPR data deletion right in case of occurrence of six specific grounds (for example, withdrawal of consent or objection formulated), the right to delete ACCP data can be exercised for for any reason (with some exceptions) and the number of deletion requests that a consumer can make is unlimited. Similarly, the CCPA's right to portability of data is not conditioned by treatment, unlike the GDPR right (for example, if the treatment is based on consent). It is likely that your organization will receive at least one consumer request. What is your plan?
Once you receive a request for access, portability or deletion of data, you need a system and a process to check the information. the identity of the applicant and to determine whether the applicant has the necessary rights to make the request. And you only have 45 days (usually) to respond to the request and execute the specific request made. You must ensure that your organization has reviewed the data card, informed the appropriate stakeholders of the organization of these requests and specify who is responsible for processing which part of the application. In particular, it is important that stakeholders from different departments – from engineering to human resources – be ready to respond to these requests and have an idea of what will be asked of them. You may want to consider organizing on-demand response exercises to solve some of the problems in your processes and systems before the reality.
A novelty in the CCPA is the right of the consumer to withdraw from the sale of his personal information. Companies will need to update their home page to add a clear and visible link "Do not sell my personal information" (and an online form). Your process for tracking and processing unsubscription requests should then be activated. In addition, you can not ask for permission to sell a consumer's personal information for at least 12 months after exercising his right of withdrawal.
As compliance with the adoption of new privacy legislation evolves, your systems and processes must continue to evolve to meet new requirements and benefit from collective experience of your organization.
Monitoring the evolution of the legal situation
Organizations must also be wary of future developments. The CCPA has already undergone its first amendment on September 23, 2018; just two months after its initial adoption, a second amendment was introduced earlier this year. The CCPA also requires the California Attorney General (CAG) to adopt regulations to promote its purpose. For more information on the regulatory process and activities, see the Web site of CAG .
Your monitoring exercise should not, however, be limited to the CACP. Obviously, companies are encouraged to consider existing industry-specific laws. While the demand for federal legislation offering consistent protections and standards has been strong for some time and might not be adopted in the near future, following the footsteps of the European Union and California, some other US states and the world have recently implemented data protection and privacy laws to which your organization may be subject.