By: Paul Schuliger
As we continue our series on data security, I want to talk about an important California “data” legislation that is going into effect on January 1, 2020. The legislation is called the California Consumer Privacy Act, or CCPA.
What is the California Consumer Privacy Act (CCPA)?
*The information below has been pulled directly from the bill, which can be found here*
It is the intent of the Legislature to further Californians’ right to privacy by giving consumers an effective way to control their personal information, by ensuring the following rights:
1. The right of Californians to know what personal information is being collected about them.
2. The right of Californians to know whether their personal information is sold or disclosed and to whom.
3. The right of Californians to say no to the sale of personal information.
4. The right of Californians to access their personal information.
5. The right of Californians to equal service and price, even if they exercise their privacy rights.
1. What is considered “personal information” under CCPA?
“Personal information” means information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked directly or indirectly with a particular consumer or household.
If, after reading that, you’re thinking that “personal information” under CCPA is basically anything and everything that a business collects on you then you are correct. CCPA’s definition of “personal information” goes well beyond typical PII (SSN, data of birth, name, and address) by including other data elements like geolocation, education, employment information, purchasing history, and general consumer tendencies.
2. Does a consumer have the right to know how their personal information is disclosed?
Under CCPA, the consumer does have the right to request from the business a report that tells the consumer specifically how the business is handling their personal information. The business must comply with the request within a specific number of days and if not, the business will face penalties.
3. Does a consumer have the right to say no to the sale of personal information?
With CCPA in place, the consumer now has the right to tell a business that the business cannot sell their personal information. The CCPA makes it the business’s responsibility to provide a consumer with the ability to “opt out” of sale of their personal information. The bill is specific on how the business must provide an option on their website that allows the consumer to select whether they want their personal information sold or not.
What would you choose? A recent study found that “nearly 90% of consumers would choose ‘do not sell’ personal data under CCPA.”
NOTE: The business does have the right to keep all the necessary personal information about a consumer in order to be in compliance with federal regulations that take precedence over CCPA.
4. What does it mean that the consumer has a right to access their personal information?
Like stated earlier in #2, the consumer has a right to request a report to see their data as well as a right to have all of their data deleted. It’s a good guess that many large businesses are going to face challenges in handling these scenarios.
5. What does it mean that the consumer has a right to equal service, even if they exercise their privacy rights?
The CCPA makes it clear that a business must provide the same level of service to all consumers regardless of whether consumers “opt out” in order to protect private information. This is a safeguard for the consumer.
The business is, however, allowed to offer incentives to those consumers who do not mind having their personal information sold. Incentives could be a discount on a service or a higher-level of service if the consumer allows the business to sell their data.
An Important Difference Between CCPA and GDPR
The CCPA is the first legislation of its kind in the United States, but do not think it will be the last. The new bill is comparable to the GDPR legislation that is currently in effect in the European Union, which is even more stringent than the CCPA. Consumers in Europe under the GDPR have to “opt in” with each business to allow the business to collection personal information. That process is much different compared to CCPA enforcement, where the consumer has to “opt out” of the data collection process by the business. Be sure to keep an eye out for stories on how technical teams manage data as the legislation goes into effect in the next couple of months!
Lastly, if you are interested, the actual legislation (see link below) goes into specifics on the implementation of each of the topics covered above.
Our 2019 Data Security Series
This blog post is part 4 of our series on data security. Here are the previous posts:
Part 1: Web Applications and Their Role in Data Security
Part 2: How to Implement Column Level Security in SQL Server
Part 3: Data Security Levels and Their Importance in a Data Warehouse
Thanks for reading. We hope you found this blog post to be useful. Do let us know if you have any questions or topic ideas related to BI, analytics, the cloud, machine learning, SQL Server, (Star Wars), or anything else of the like that you’d like us to write about. Simply leave us a comment below, and we’ll see what we can do!
Keep Your Business Intelligence Knowledge Sharp by Subscribing to our Email List
Get fresh Key2 content around Business Intelligence, Data Warehousing, Analytics, and more delivered right to your inbox!
Key2 Consulting is a data warehousing and business intelligence company located in Atlanta, Georgia. We create and deliver custom data warehouse solutions, business intelligence solutions, and custom applications.