What is The California Customer Privacy Act (CCPA)?
California’s new, landmark privacy law “The California Consumer Privacy Act” (CCPA),” was unanimously passed by California lawmakers. Signed into law by the Governor on June 28th, 2018, it ensures unprecedented personal data protection for the Californian consumer and sets the tone for similar legislation in other states. Recent data breaches and the negative public reaction to them has driven the same. This would require significant changes in the information management systems dealing in personal data.
The California Consumer Privacy Act (CCPA) grants the following consumer rights, including the ability to:
- know what personal data is being collected
- know what personal data its being sold and/or shared with 3rd third parties
- opt out of sale of your data
- access your personal information
- request the deletion of your personal data
Should a consumer exercise one of the rights listed above, a business would be required to respond within 45 days of the request.
The businesses subject to this new law must map out all personal information collected and shared by Californians. This activity should include all the categories of personal information collected, including why the information is gathered, and to whom the information is shared, and/or sold. This step is vital to allow organizations respond to consumer requests, as they should ideally expect a high number of requests initially.
Qualifying businesses are required to adhere to a host of new policies, guidelines, and procedures for ensuring the protection of personal information. This includes all updates to the privacy policies, reasonable security protections, and the facilitation of consumer rights. Each new request from a customer engagement must be formally analyzed, since different scenarios may emerge in which a business may not have to honor the consumer's requests to exercise one of their rights.
If any of the following are true of your organization, regardless of location, then you will have to comply with CCPA:
- $25 million in revenue
- 50,000 plus consumer records sold
- More than 50% of revenue from selling PII
While the CCPA is being compared to the General Data Protection Regulation (GDPR) – it becomes even more important for us to spend some time to understand the difference and ensure that when it comes to taking appropriate measures to address this new regulation, we take suitable changes to operating procedures or information system and in some cases the business arrangement
||Established in the Union, or not establishes in the Union and offering good or services to EU residents or monitoring data subject’s EU behavior.|
|Enforcement Power||California Attorney General||Supervisory authority within each member state|
|Civil Penalty||Up to $7,500 per violation||% of gross revenue|
|Cure Period||Within 30 days of being notified||No cure period provided in the regulation|
|Breach Notification Timeline||In the most expedient time possible, without reasonable delay||72 hours after becoming aware of the breach|
|Private Right of Action||A consumer may bring an action to recover damages upto $7500 per incident or actual damages, whichever is greater||EU gives citizens a right to pursue compensation claims against controllers and processors for damages|
|Consumers Access Request||Requires two methods for requesting access to the information through telephone and website||At least one method to service access request (self-service, email, or telephone)|
|Customer Access Request Timeline||45 days+||30 days+|
|Do Not Sell My Personal Information – Internet Webpage||Required||Not required|
|Offering Incentives in Exchange for Data||Permissible||Permissible – but must be adopted cautiously|
|Right to Opt Out for Third-party Sales||Yes||Yes|
|OPT in Consent for Minors||Yes||Yes|
|Right of Access||Yes||Yes|
|Right to Delete||Yes||Yes|
|Right to Data Portability||Yes||Yes|
|Right of Rectification||No||Yes|
|Legal Basis of Processing||No||Yes|
|Required Data Protection||No||Yes|
HCL’s point of view on the impact to the Utility Industry, and the ways of observing the true essence of the regulations (instead of just the letter) is perhaps the most practical way forward. We do see similar impact to various process and IT systems as GDPR came into being, Viz. How do utilities across the world handle data of a California resident? We feel that organizations must be willing to undertake a thorough assessment to develop a deep understanding of the potential gaps in their privacy capabilities and estimate how prepared they really are to face the new regulatory framework. We feel that they need to:
Build and maintain a repository of the personal data collected: In light of the complexities associated with a utility process information system, and the most likely absence of a combined data inventory, this initiative should be taken on a priority. This would begin with the assessment and subsequent documentation of the systems and business processes which must handle personal information.
Typical utility industry-facing software that can store person-specific information, include outage management system (OMS), Customer Relationship Management (CRM) system, ERP system, bill-pay/financial management system, identity and access management system (IAM), HR-centric systems, and other systems, including a customer engagement platform and Demand Side Management (DSM) products managed by third-parties.
Quick response to requests including those for a deletion or for information collected and stored – The Act establishes broad-based rights for residents of California and formulates the need for prompt action. Utilities must be in a position to offer hassle-free tools (mobile apps) to complete this process through any channel communication.
Ensure that staff members with an access to person-specific data are cognizant of the new regulations and have received adequate training on the latest standards for safe and secure data handling – Awareness constitutes the best possible defense against any potential breach.
Check whether third-parties can address the privacy-related clauses, which will have to be included in the contract going forward – The potential damage to reputation arising from a data breach can have a significant impact. Adequate assurance methods and implementation of appropriate controls like customer engagement firms, payment processors, and third-party energy service companies could help ensure this.
Ensure the option to opt out – Customers now can exercise their opt-out option for any potential sale of person-specific data related to themselves. They may do so through a minimal “do_not_sell_my_personal_information” url, available on the home page of the organization’s website.
With the clock running out on the time to meet the requirements of this law, the initial capability check must be followed closely by a more detailed analysis of gaps. Besides identifying areas that must be addressed, this would also result in a roadmap or action plan, which may then be leveraged for clarity on the specific measures that must be taken in terms of governance regulations, processes, organizational structure, capabilities, and future technical requirements.
Currently, the implementation deadline for the CCPA is January 1, 2020, however, the requirements of the law will likely evolve over the next year or so. Indeed, an amendment was already signed into law in September which (among other changes) delays the CA Attorney General’s ability to bring an enforcement action until July 1, 2020. The broad rights as outlined above are likely to remain intact however.