• what is California data privacy law 2020?

    The California data privacy law 2020 will come into effect on January 1, 2020. Seven amendments have been examined by the CA legislature until September 13, 2019. The governor had 30 days until October 13, 2019, to sign the amendments and incorporate them into the law or veto bills that have passed the legislature.  

     An overview of the California Law

    The design of the California Consumer Privacy Act provides California residents with increased control over their personal data. Fundamentally, it enables consumers to be  aware of their data, and how it is gathered, stored and processed. 

    Moreover, it grants a consumer with a right to request for the deletion of his or her data and also a right to opt-out from having their information sold. 

     It requires non-compliant companies to comply with its requirements and facilitate their users with data requests, update their privacy policies. Lastly, it wants companies to make sure that the vendors also comply with the requirements. 

     Amendments Highlights

    Many changes were suggested to the original version of the CCPA by various groups. A few imperative proposals that can impact financial institutions incorporate the following assembly bills. 

     1) Employee Exemption (AB 25) 

    This bill excludes personal information collected from job applicants, employees, business owners, directors, officers, medical staff or contractors from the CCPA consumer rights (such as access, deletion, and opt-out). 

     Although, the Senate Committee denied the suggested exemptions from the CCPA notice and data breach liability provisions. It indicates that employers have to provide a privacy notice when collecting employee personal information. 

     In addition, employee data is included in the data breach events and their private right of action is available. An employee exemption is a sunset provision which will expire by January 1 2021.  

    When the date arrives, the CA Legislature will provide regulation similar for the handling of employee data.

    2) Loyalty Programs (AB 846) 

    This bill will allow the usage of personal information with consumer’s consent and voluntary participation in the loyalty program. It forbids companies to sell personal information from loyalty programs to other companies. 

    Therefore, it will impact various companies who rely on cross-marketing in their business model.  

    3) Consumer Requests for disclosure methods (AB 1564)

    This bill will allow those businesses that operate online and are directly connected with their consumers to give a single method (email) for consumers to contact them. Generally, it is less hectic from what originally required of entities under California data privacy law 2020. It also includes an additional method and a toll-free number.  

     A few items are under consideration. However, the amendments cover a wide range of items, that incorporate, data brokers to register with the attorney general (AB 1202), requirements for parents/guardians of children under 13 to take consent for social media accounts, requiring business using facial recognition to disclose the usage at all relevant locations (AB 1281). The amendments also allow a business to differently treat the consumers who have exercised privacy rights if related to the value provided by the business (AB 1355). 

     Rejected Proposals 

    The amendments listed down below were rejected and will not modify the California data privacy law 2020.

    • Definition of Personal Information (AB 873) – This bill sought to include data not “reasonably linkable” to a consumer in “de-identification” information, and to remove “household” from the definition of personal information.
    • Insurance Exemptions (AB 981) – This bill sought to take away from consumers the right to remove or delete personal data from insurance transactions. 
    • Exceptions for businesses (AB 1416) – This bill sought to allow some exceptions for businesses to provide personal information to government agencies, as well as to allow the sale of information from “opt-out” choosers to detect security incidents fraud and other activities.

    Frequently Asked Questions 

     1) Is our website affected by CCPA? 

    Only if you collect and process data of California citizens and also if you meet at least anyone from the conditions mentioned below.

    • If your annual gross revenues are at least $25 million.
    • Also, if you obtain personal data of at least 50,000 Californian residents, household and devices every year.
    • Lastly, if you generate 50% of your annual revenue from the sale of California’s inhabitants’ personal data.
     2) How to prepare data maps of California residents?

    Data mapping is a process which figures out the type of information you accumulate, why and where you hold it, and with whom you share it. This process also states that how the information is transferred addresses many other questions related to data collection and its daily usage.

    CCPA expects you to conduct data mapping of your users from California. Although, this is not a strict obligation by the CCPA but considered as a good practice that saps risk associated with the data of your users.

    3) How can we make our website CCPA compliant?

    CCPA requirements are clear and precise that a business must meet. The requirements include:

    • A privacy policy that must be updated on how, why, and what personal information is being processed and collected.
    • A privacy policy has to be updated by mentioning information on how your user can request access, change, or delete their data you recently have gathered.
    • A business must introduce a verification method of a person’s identity-making such requests.
    • A business must introduce a “Do Not Sell My Personal Information” link on its website’s home page. Through this, your users can easily prohibit you from selling their data.
    • You must have prior consent from 13-16 years olds before you sell their data. To process underage children’s (younger than 13 years) data, you must obtain consent from their parents/gardens.
    4) Should I take consent before collecting and processing my users’ data?

    No, as a reversal, CCPA does not require you to obtain consent before collecting and processing your users’ data.

    Protect yourself, get compliant fast.

    Scan & Audit your Cookies

    Scan your website Cookies, generate a fully-customisable Cookie Consent Banner
    & create a Cookie Policy – FREE