In 2018, the California Consumer Privacy Act (CCPA) was signed into law. Its goal was to extend consumer privacy protections to include the internet. The CCPA is the most comprehensive online data privacy legislation in the US, with no equivalent Federal legislation.
Under the CCPA, consumers have a right to access through a data subject access request (DSAR) the categories and specific pieces of personal information held by covered businesses. Businesses can’t sell consumers’ personal information without providing a clear and obvious web notice offering each individual an opportunity to opt-out.
Like the GDPR, there is also a “right to delete” — with some exemptions — consumer personal information on request. The CCPA also gives consumers a limited right of action to sue if they’re the victim of a data breach. Legislation is in the works to broaden consumers’ private right of action to sue on other grounds. (CPRA – new regulations are currently being written)
Another striking innovation within the CCPA is its very broad definition of personal information: “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” That covers a lot of ground and is similar to the GDPR’s own expansive view of personal data.
The CCPA also contains a long list of identifiers it considers personal information, including biometric, geolocation, email, browsing history, employee data, and more.
While the focus has been on extensive new privacy rights for consumers, there’s also a strong data security component to the CCPA. The law calls for companies to “implement and maintain reasonable security procedures”. What does that mean? No one’s sure, though there are strong hints that the California government is looking to the Center of Internet Security’s top 20 controls and the NIST Critical Infrastructure Security (CIS) Framework as baselines. NIST has also published an excellent Privacy Framework which Newport Thomson uses to assit organizations implement Privacy Management Programmes