Just when we are catching our breath from the GDPR marathon, we have to switch lanes to CCPA compliance. As the world transitions in full to a knowledge economy, data is the basic raw material involved in all sectors. Thus, managing and processing data in a way that ensures its protection and privacy is top of the mind for governments and regulators.
What is CCPA?
The US State of California is leading the charge for strong legal frameworks for the protection and privacy of citizen’s data. CCPA stands for California Consumers Protection Act 2018 which comes into force on January 1, 2020. CCPA compliance does not excuse non-compliance with other privacy laws in the State of California. Thus, other laws like the Privacy Rights for California Minors in the Digital World Act, the CalOPPA (California Online Privacy Protection Act) and Shine the Light are to run concurrently.
CCPA Compliance Requirements
In essence, the CCPA compliance requires companies to maintain up-to-date data inventory and data flow maps.
Under the transparency CCPA compliance privacy requirements, data controllers must provide data subjects information about the category of personal data being collected, the purposes for which it will be used and the categories of third parties with whom the data collected will be shared. Details of this information are to be contained in the data controller’s privacy policy which should be updated at least once every 12 months.
Under the processor obligations CCPA compliance privacy requirements, data controllers must convey data subject’s deletion requests to their service providers.
Under the individual rights (Data Portability and Data Access) CCPA compliance privacy requirements, data subjects (customers) have the rights of data access and portability. What this means is that data subjects have the right to obtain from a company all data they have provided to the company and also transfer the same to another company. Data controllers must respond to this request when made within 45 days.
The last CCPA Compliance requirement is that under the individual rights (Deletion) requirements, data subjects have the right to request for their data to be deleted from the data controller’s database.