As long as there has been a lack of a singular national standard in the US for data privacy law, states have been individually filling the void with their own legislation. California has been one of the leading states on cybersecurity policy, and their recent California Consumer Privacy Act (CaCPA), effective as of next January, looks to further their efforts substantially.
The new legislation appears to be taking cues in several ways from GDPR, which is hardly surprising. Consumers will gain greater control over their personal data and how businesses handle it, just as their European counterparts. Those who wish can inquire after the who, what, where, why, and how, of a company that collects their data.
Let’s run through that for a minute. Personal data is regularly shared with third parties once an organization has acquired it, and under the new law, consumers will be able to find out just who that includes. What’s more, they can go a step further and ask for their data to be deleted from a company’s records. The “what” obviously entails knowing what data is collected and stored; “where” it resides on a company’s network is also a crucial component to data security, as too often staff will not know where certain data rests, and so cannot ensure its safety from intruders slipping through.
Equally important is the reason for gathering the consumer data. Under the CaCPA, people will now have the GDPR-esque right to pursue that question as well. We have talked about this before, but any entity that collects personal data on their users or consumers (which is a great proportion these days) should review its policies and examine whether it is truly necessary to their operations. One option to consider is anonymizing the data of personally identifiable information (PII), while leaving information that isn’t as identifiable (though encrypting it is also highly advisable). Also consider such factors as how long data will be kept and what the disposal process is. Speaking of which, last but not least, CaCPA will even allow consumers to ask how exactly their data was collected: was it taken while browsing a company website, filling out a registration form, etc.?
All this might not seem like the most important information, but it’s crucial for effective transparency. Those that don’t make the effort, moreover, will face penalties. Refusal or failure to comply with these consumer requests, at minimum, will result in fines and potential lawsuits from customers.
It certainly isn’t an easy task for companies to acclimate to constantly evolving legal frameworks. But to avoid harsher consequences and ensure their consumers’ data is kept safe, it is necessary.