The new California Consumer Privacy Act (CCPA) regulation will be the most rigid and far-reaching of its kind in the US, with significant implications for records management and information governance.
As with any new regulation, there is a lot of confusion about what its impact will be. We take a look at exactly what the CCPA is and how records managers can best prepare.
The CCPA: What is it?
The CCPA is designed to extend the right to privacy, afforded by the 1972 amendment to article 1 of the state constitution of California, into the digital space. By introducing five new rights specific to personal data privacy and data security, the CCPA aims to shift the ownership of data back into the hands of the people that produce it.
The bill gives Californians the right to:
1) Know what personal information is being collected about them.
2) Know whether their personal information is sold or disclosed and to whom.
3) Say no to the sale of personal information.
4) Access their personal information.
5) Equal service and price, even if they exercise their privacy rights.
The specifics of the bill require businesses to inform customers of all categories of data which will be collected before collection, as well as any third parties that data is being collected by or sold to. The categories extend beyond emails and names to include ‘inferred data’, facial mapping, and sleep patterns, among others. The bill also gives consumers the right to request the deletion of their personal data, much like the GDPR legislation introduced by the European Union in 2018. Companies that deal with minors will also be specifically affected, as the sale of data pertaining to minors under the age of 13 will require explicit consent from parents, which will need to be tracked.
Who Will it Affect?
Much like the GDPR, the bill’s impact is not limited to companies that are headquartered in California. The regulation covers the data privacy and data security of all residents of California. This means that any business that meets the criteria laid out by the bill and has customers that are California residents must be in compliance. Businesses that are not will face fines of $2,500 per incident - going up to $7,500 if the violation was intentional. For a business to be liable they only need to meet one of the following:
- Have annual gross revenues in excess of $25 million
- Buy, sell, or share for commercial purposes, the data of more than 50,000 consumers, households, or devices.
- Derive 50% or more of their annual revenue from the sale of customers' personal information
What Does This Mean for Records Management Professionals?
The impact in the records and information management space cannot be overstated. The regulation’s extensive coverage means that compliance will be a many-headed beast.
With a sound risk assessment and proper planning, businesses can be on their way to meeting the requirements. Below are three key considerations for records and information management professionals to consider with regards to CCPA compliant information governance.
1) Lead by Example
As information management professionals, a key first step will be shining a light on your own internal information governance.
If your business directly stores any customer data for clients on your own infrastructure, and you meet the criteria for liability, then you need to ensure that your system is compliant.
Any software solutions that you provide to clients also need to meet the demands of CCPA compliance by ensuring that data is correctly categorized and that reporting meets the needs of potential requests.
Avoiding financial losses from violations will require a holistic, compliance-centric approach to information governance. It will be the role of records and information management professionals to set an example and guide their organizations to put proactive systems and processes in place.
2) Identify Risk, Perform an Audit
A thorough audit to identify all areas of exposure that could put a client’s business at risk of violation will be crucial. Every single data point that's associated with personal information of a customer must be accounted for and categorized in such a way that it can be easily communicated to the consumer within the guidelines of the regulation.
For many businesses, this will mean completely overhauling the way that data is categorized and handled. While it may be difficult making these changes, the result should be a more robust system of information governance that should be a standard for modern businesses, regardless of the law.
3) Prepare for Requests
The law gives consumers the right to request from businesses a full report of any personal information held by them. Carefully auditing information governance will go a long way toward making this less painful for clients, but it will require infrastructural investment as well. While it is unlikely that most businesses will be inundated with requests for this data, you can be proactive by ensuring that your clients are equipped with a solution that streamlines the reporting process. In the event of a flood of requests, having the right solution in place will mean that they are not wasting valuable time and resources on manually evaluating requests and packaging data reports for customers on an ad hoc basis.