California Consumer Protection Act (CCPA): How to Stay Compliant
Beginning January 1, 2020, business entities in California will need to be compliant with the California Consumer Protection Act (CCPA). The CCPA is a large set of privacy rules and regulations meant to protect the private information of California residents. It has elements of other major privacy rules, such as Health Insurance Portability and Accountability Act (HIPAA) and the European General Data Protection Regulation (GDPR), but of course is tailored to California’s unique requirements.
One of the more complicating aspects of the CCPA is that even as it goes into effect, it's actively being modified through regulatory actions. For instance, in mid-December, biometric data was added to the list of “private data” that must be protected under CCPA. California is the fourth state to have a biometric privacy law in place, joining Illinois, Texas and Washington. While similar to the other state rules on biometric data (such as Illinois’ Biometric Information Privacy Act “BIPA”), there are key differences in how the CCPA handles this data. Since it gets lumped in with all other “private” data, an employer’s CCPA privacy notice must now list biometric data as protected, if it’s collected. The CCPA does not require consent notices from the consumer.
While this would appear to make the California rule more business friendly, there are other aspects of this new biometric rule that make it unique. Prior state rules on biometrics have included narrow definitions of what data is considered “biometric”. However, the CCPA went the other direction, and has a very broad definition for biometric information: “an individual’s physiological, biological or behavioral characteristics, including an individual’s DNA, that can be used, singly or in combination with each other or with other identifying data, to establish individual identity.”
Of course, CCPA protects far more than just biometric data. It's a complex rule written, ultimately, to protect all private data of California citizens, and give those citizens, essentially, the right to have their personal data be “forgotten” by businesses. This act allows for consumers to sue companies if the guidelines are violated, regardless of whether or not there is a breach. If you haven’t yet implemented CCPA’s numerous requirements, it’s definitely time to dive in and get into compliance. More information on the CCPA can be found here.
Questions? Reach out to the 'A' Team and let us know how we can help!
ABOUT THE AUTHOR