Just when you thought you had a sense of how to deal with the European Union’s GeneralData Privacy Regulation (GDPR), which went into effect on May 25, along comes the newly enacted California Consumer Privacy Act (CCPA).
Like GDPR, the new California legislation establishes consumer rights over personal data, including the right of deletion of that data, the right to opt out and the right to grant consent before data is collected. It affects companies doing business in California, although the exact definition of that term is expected to be determined more exactly by the time the Act goes into effect in January 2020.
To help organizations get a sense of whether they have to comply with CCPA, and, if so, what that might involve, privacy management software provider OneTrust is out this week with what it says is the new law’s first Initial Planning Assessment tool (registration required), developed with the International Association of Privacy Professionals.
It offers interactive questions that help scope out the situation for a given business, such as whether CCPA applies, determining whether the business is in charge of the data (the focus of CCPA is on data controllers) and the extent to which the business collects personal data.
The tool also helps users review the implications of user rights and business obligations, such as requirements to inform consumers of data breaches or what choices should be offered before data collection. It also presents supporting tasks that may be required, including updates to privacy-by-design efforts or to security programs.
OneTrust also offers other free basic tools that might be employed in conjunction with the Planning Assessment tool, such as a basic data mapping tool, a tool for posting cookie-notification banners and a portal for handling user rights management (the latter of which is free only up to a small number of users).
OneTrust’s main product, its Privacy Management and Marketing Compliance suite, has added CCPA requirements to its implementation tools for GDPR and other regulations, and OneTrust director of privacy Andrew Clearwater told me his company expects to add other state- or country-based privacy requirements as they emerge.
If California were treated as a separate country, Clearwater pointed out, it would be the fifth largest economy, not to mention the fact that the state is arguably the world center for technology and media companies. This means, of course, that the state’s data privacy regulations could have a major impact on business elsewhere.
The definition of personal data under CCPA is still being refined, he said, but it shares some commonalities with GDPR. It includes IP addresses and data that is used to create a profile, for instance, but it applies to a household as well as a consumer and can include browser history and search history, even if those records cannot be tied back to an individual.