Maria Fritzsche
California Consumer Privacy Act 2023 Update
Prior to data protection legislation, there were several high-profile data breaches in the US. From Zoom’s $85 million settlement to T-Mobile’s data breach, the common denominator in each of these cases was clear: poor data controls and messy access management.
The California Consumer Privacy Act (CCPA) was introduced to solve that problem. In protecting consumers, the regulation provided guidance for large companies operating within the state or serving customers who reside in California.
In 2023, there have been several updates that regulated companies need to know about. With a recent crackdown on non-compliance, it is certainly something for regulated entities to get ahead on.
Background
The CCPA was first introduced in order to protect the rights of consumers living in the state. It aimed to regulate companies that (intentionally or otherwise) collected and processed data from these consumers. Since the State of California alone would make up the world’s fifth-largest economy, it’s no wonder that regulators focussed on protecting consumers.
The CCPA’s main aim was around disclosure: companies must let consumers know what data they were collecting, and for what the information was being used. Moreover, the Act made it clear to consumers that they had the right to opt out of any data collection without fear of retaliation.
Several other states have followed suit with their own privacy law. Namely, the Colorado Privacy Act arrived in quick succession, and later Virginia state launched their own consumer protection laws. So, it looks like the buzz around data protection and cybersecurity doesn’t seem to be going anywhere, anytime soon.
2023 updates to the CCPA
As a result of the California Privacy Rights Act (CPRA), which has come into effect on 1 January 2023, there are a few updates that might change your company’s compliance duty:
- Worker data rights
- Added consumer privacy rights.
Worker data rights
When it was initially introduced, the CCPA allowed employees or employee-adjacent personnel (such as independent contractors) to be exempt from the regulation. This meant that companies did not have to extend their data collection and processing protocols internally to employee data.
Now though, regulated companies must respect the following California privacy rights of workers, who can:
- Ask what data is being kept on them
- Ask to correct any inaccurate data, or delete it altogether
- Ask what data is shared with third parties
- Ask that data is not shared or sold to third parties
This applies to California employees, independent contractors, applicants for a role along with their emergency contacts and beneficiaries.
Added consumer privacy rights
For a quick recap, the original version of the CCPA focussed on regulating businesses to act in the interest of their California resident customers. With huge amounts of data being collected and processed by companies operating with Californian customers, some corporations were set to make millions in the sharing and selling of that data.
Therefore, this data privacy law was launched with a particular focus on the protection of consumer data.
Now, CCPA compliance means that businesses must adhere to two more consumer rights under Californian law:
- Individuals have the right to correct any inaccurate personal information that a business holds about them.
- Individuals have the right to limit the use and disclosure of their sensitive personal information.
It is important that companies make the distinction between personal information and sensitive personal information. This is because the way that businesses are allowed to treat this data varies. Sensitive personal information refers to identifiable data, such as a social security number.
No room for non-compliance
Just last month, the California Attorney General’s Office notified mobile apps in the retail, travel and food industries of violations of the CCPA regulation. These notifications are likely due to non-compliance with their privacy policies or data processing practices, prior to the updates.
However, the public nature of this announcement means that the Californian government seems to be stepping up their efforts around compliance. It also means that any service provider that operates in California or serves Californian customers, should stay ‘on their toes’ in reaction to any future CCPA updates. Moreover, the fines for non-compliance with this regulation have been well-documented. Civil violations of the privacy legislation have been listed as a maximum fine of $2,500 per violation, with intentional violations increased to a fine of $7,500. Plus, companies should be aware that in not complying with the CCPA, they’re exposed to legal action by their customers, too.
How to stay compliant
Staying on the right side of compliance isn’t easy, but with an increased focus on the CCPA by the government, it matters now more than ever. Moreover, consumers’ personal information is a hot commodity and must be protected as global privacy control continues to change.
CUBE RegPlatform can help your enterprise manage its regulatory intelligence, all the way down to the jurisdictional level. Operating globally means complying with local regulations, which can be a pain to manage. But your team can breathe easy when they use CUBE’s RegPlatform, which uses horizon-scanning technology to show you exactly what is around the corner.
Keep ahead of your CCPA obligations by speaking to CUBE.