California Consumer Privacy Act Goes into Effect January 1, 2020

With the advancement of technology and the digital nature of our lives today, privacy has become a pressing issue. Consumers want to know that their private information and data are safe. Despite this growing concern, the U.S. Congress has failed to take legislative measures protecting privacy. But California has stepped forward and addressed the concern by enacting a privacy law at the state level. It’s called the California Consumer Privacy Act (CCPA), and it goes into effect on January 1, 2020. Here’s some information that will help your company make sure it’s ready for the enactment of CCPA.

What is the California Consumer Privacy Act?

The forward-thinking west-coast state has produced the first comprehensive privacy law in United States with its new California Consumer Privacy Act. While this is a privacy breakthrough in the U.S., it builds on the precedent of the General Data Protection Regulation (GDPR) that that the European Union put into place in May of 2018. The idea of GDPR was to give EU residents control over their private information and allow them the confidence of safe digital interactions. In doing this, companies that use individuals’ private information had to meet certain standards in safeguarding their data. Such practices included requiring consent to use data, ensuring anonymity, and designating a data protection officer to oversee GDPR compliance.

Countries outside the European Union—like Japan, China, Brazil, India and others—have begun shaping privacy laws that align with GDPR’s pioneering standards. California’s new law follows along that path and sets standards very close to those of the GDPR. So, from the standpoint of a company for whom CCPA applies, you’ll basically need to do the same things you would for GDPR to be compliant.

Who does CCPA apply to?

 

CCPA applies to companies that do business in California (or with customers who reside in California) and meet at least one of these categories annually:

1. Earn a gross revenue of more than $25 million
2. Derive 50% or more of their annual revenue from the sale of consumer personal information
3. Buy, sell, or share the personal information of more than 50,000 consumers

For more details on CCPA’s standards and who is affected by them, see Microsoft’s FAQ page on CCPA.

5 Ways to prepare for the enforcement of CCPA

Many enterprises who handle customers’ private information view privacy regulations as one of their biggest challenges. Microsoft offers some tips to help make sure your company is prepared and compliant when CCPA enforcement starts:

1. Make use of the Microsoft 365 Compliance Center. Since CCPA an GDPR have so many similar standards, leveraging the GDPR assessment tool in Microsoft’s Compliance Manager, a part of the Compliance Center, will already set you up for good compliance with CCPA. If you’re not familiar with Compliance Manager, it’s a handy cloud-based tool that provides step-by-step guidance for implementing, tracking and recording your data-protection controls.
2. Establish an efficient process of responding to Data Subject Requests. The new regulations give individuals the ability to control the use of their information, such as the right to delete, access or obtain it for use elsewhere. They can make these appeals through Data Subject Requests (DSRs). You, as the company handling their data, are then obligated to promptly consider each DSR and provide a substantive response. This means either taking the requested action or providing an explanation for why you cannot accommodate the DSR. Microsoft recommends using its Microsoft 365 Compliance Center to make this response process faster and easier.
3. Find, classify, and protect sensitive data. Huge amounts of corporate data are not classified and protected. Enterprises today deal with massive amounts of data, which can be hard to keep track of. But CCPA imposes penalties for data breaches of consumers’ personal information, so it’s critical to be on top of protection. Again, there’s a tool to help with this: Microsoft Information Protection uses an intelligent, integrated approach to target the data that is not already classified and protected. It can then automatically discover, classify, and protect certain kinds of data.
4. Make use of encryption. This is an effective way to protect sensitive information from unauthorized parties. Office 365 Message Encryption enables users to encrypt their messages both in and outside of the organization, and in some cases it can be set by default. It’s also a good idea to train users to apply protections like “do not forward” or “encrypt-only” when using Outlook.
5. Embrace consumer privacy rights as a strength of your business. While some enterprises look at regulations as a headache, the truth is that they strengthen company-consumer relations and build a sense of trust and reliability for your organization. Plus, privacy rights are key to a safe and democratic world. If you ever feel the weight of additional standards through CCPA, imagine yourself as the consumer and remember that these standards are what uphold important human rights.

Microsoft’s support for increasing privacy legislation

Microsoft is at the forefront of support for those rights. Although California is as yet the only U.S. state to step forward with this legislation, Microsoft has vowed to honor CCPA’s requirements for its customers anywhere in the United States. (Likewise, it allows its consumers their GDPR data rights around the world.) Especially in the absence of progressive steps from the U.S. Congress, it’s hopeful that a large corporation like Microsoft is dedicated to setting those standards. Then it’s up to companies to stay CCPA compliant, consumers to employ their rights, and citizens to support federal legislation that upholds privacy as well. After all, keeping strong data privacy is good global citizenship.

Privacy is one element of ethical technology. See what else we should be doing to innovate responsibly.