The California Consumer Privacy Act (CCPA) is a first in U.S. state law, having captured the attention of privacy professionals across the country. Similar to the GDPR in many regards, this regulation will require organizations to reexamine the ways data is collected, used, and protected.
Privacy professionals are hard pressed to stay apprised of the shifting regulatory landscape and must continually research and understand the impacts of changing U.S. state, federal, and international regulations. A regulation like the CCPA that is garnering so much attention, has very real business impacts, and continues to change (with over 200 proposed amendments as of March of this year) certainly adds to this complexity.
The RADAR regulatory team continuously tracks new and evolving global data breach notification laws and regulations so that, if passed, any new requirement is incorporated into the RADAR platform for automated risk scoring to ensure compliance on the law’s first day of enforcement. Doing this work also affords our regulatory team a high-level vantage point to identify regulatory trends.
The CCPA may present a new high water mark for privacy legislation in the United States, but it also aligns with trends we are seeing across the country, towards overall greater stringency when it comes to protecting data.
CCPA Regulatory Trend: Expanded Scope of Personal Information
Over the years, the RADAR regulatory team has identified a number of trends in changing and emerging data breach notification regulations. The CCPA brings to light one of our previously identified trends: the expansive scope of what is considered personal information. Because this expanded definition applies to the CCPA, and not the California Civil Code and California Health and Safety Code, it complicates data breach notification assessments for businesses, which could potentially lead to over-reporting.
Privacy professionals who are familiar with the GDPR may experience a bit of deja vu when reading the CCPA’s definition of personal information, which broadly includes information that can identify, relate to, describe, be associated with, or be reasonably linked directly or indirectly to a particular consumer or household.
Privacy professionals in California must also take into consideration an additional layer of privacy compliance: privacy obligations under the California Civil Code. Well before the CCPA was even brought to the senate floor, California had earned a reputation as the jurisdiction with one of the most stringent data privacy laws. In fact, California was the first state to pass a data breach notification regulation back in 2003. Not to be outpaced, California also recently amended the data breach notification regulation’s personal information definition to include biometric information and federal government IDs.
The challenge with such broad definitions of personal information from a compliance perspective is it greatly increases the number of privacy incidents that must be assessed to determine risk of harm for the affected individuals. With the GDPR, there was a notable increase in the number of breaches reported to supervisory authorities - but regulators noted that there was an initial issue with over-reporting, which can have negative repercussions for an organization and indicate to regulators that the privacy program is not sophisticated in managing incidents and evaluating the potential risk to affected individuals.
California Privacy Laws: Change is the Only Constant
It’s important to note that, while the effective date of the CCPA looms large, the law has not yet been finalized, effectively making it so that privacy professionals are aiming at a moving target. Just last week, a number of proposed amendments to the CCPA advanced, major amendments that could redefine the definition of personal information.
And while the details of the CCPA continue to be ironed out, California lawmakers are not resting on their laurels. In February of this year, lawmakers introduced several proposed changes to the California Civil Code, a legislation package called “Your Data, Your Way.” Included in this package is AB-1035, a proposal for a 72-hour timeframe to provide notification of a data breach.
That isn’t all. There are four pieces of California data privacy legislation currently on the RADAR regulatory watchlist, a feature within RADAR that includes activity on bills and proposed regulations that, if passed, could impact breach notification obligations in the jurisdictions supported by RADAR.
All this to say that compliance with privacy laws is complex, ongoing, and liable for making even the most seasoned privacy professionals want to pull out their hair. Before you reach that point, it can be helpful to return to the basics and shore up your privacy program. Here are a couple places to start:
- Stay ahead of changing regulations with law overviews and keep a regulatory watchlist. Monitoring and staying on top of the patchwork of ever-changing global data breach notification laws is one of the biggest challenges privacy and security professionals face. Stay current with Breach Law Radar, a free data breach notification law research platform that includes summaries of hundreds of domestic and global data breach notification laws, rules, and regulations.
- See the big picture view of your organization’s privacy health. By establishing real-time reports and dashboards you can identify trends, benchmark your program, and garner the insights you need for continual process improvements.
RADAR and the California Consumer Privacy Act:
Leverage the depth of the RADAR platform for CCPA readiness tasks and meet current and future regulatory requirements for data breach notification in the state of California and beyond. Explore how to:
- Verify your data processing and data protection measures
- Meet California state and federal breach notification requirements
- Stay ahead of changing regulations
- Get big picture views of your organization's privacy program