Data Protection in The USA
Do you do business in California? Do you use personal data of the Citizens of California? Are you aware of the new California Consumer Protection Act (CCPA) due to come into force Jan 1, 2020?
To give you a taste, the CCPA requires that a business must disclose:
At or before collection (disclosure is not specifically required in a privacy notice), the categories of personal information to be collected and the purposes for which the personal information shall be used. Per § 1798.100(b)
A description of a consumer’s right to request deletion of any personal information about the consumer that the business has collected from the consumer. Per § 1798.105(b) with reference to § 1798.130
A description of a consumer’s right to request disclosure regarding the collection of personal information. Per § 1798.110 by reference via § 1798.130(a)(5)(A)
A description of a consumer’s right to request disclosure regarding the sale of personal information. Per § 1798.115 by reference via § 1798.130(a)(5)(A)
A description of a consumer’s right not to face discrimination for exercising a right under the CCPA. Per § 1798.125 by reference via § 1798.130(a)(5)(A)
A list of categories of personal information collected about consumers* in the preceding 12 months, which include the:
- Categories of personal information collected about that consumer.*
- Categories of sources from which the personal information is collected.
- Business or commercial purpose for collecting or selling personal information.
- Categories of third parties with whom the business shares personal information.
- Specific pieces of personal information the business has collected about the consumer.
A list of categories of personal information sold about consumers* in the preceding 12 months. Per § 1798.115(c) by reference via § 1798.130(C)(i)
A list of categories of personal information disclosed about consumers* for a business purpose in the preceding 12 months. Per § 1798.115(c) by reference via § 1798.130(C)(ii)
All the above information must be updated at least once every 12 months and available on a business’s website if it does not maintain an online privacy policy (per § 1798.130(a)(5)).
The categories from the definition of “personal information” (§ 1798.140(o)) provide the categories to be disclosed for the above disclosures (per § 1798.130(c), referencing §§ 1798.110, .115).
* The inconsistent usage of the plural, “consumers,” and singular, “that consumer,” is a drafting quirk from the text of the CCPA. It is a candidate for clarification by the State Attorney General or state legislature.
Source: https://iapp.org/resources/tools/ccpa-obligations-tool/
Posted by Newport Thomson – Trusted Advisors for Privacy & Data Protection