California's CCPA now enforced worldwide
Any company that does business with the United States state of California must follow the California Consumer Protection Act (CCPA). The Act, which came into effect on 1 January 2020, only entered official enforcement on 1 July.
The Act, which protects data belonging to consumers within California, is the first law of its kind within the United States – but it also has global scope.
The Act includes new rights to privacy, including:
- The right to know about the personal information a business collects about them and how it is used and shared;
- The right to delete personal information collected from them (with some exceptions);
- The right to opt-out of the sale of their personal information; and
- The right to non-discrimination for exercising their CCPA rights.
All businesses that deal with consumers in California must comply with the CCPA and must explain their privacy practices.
For example, businesses must comply with a 'notice at collection', which must show what personal information they collect about consumers, for what purposes that information is used.
Further, if a business sells consumer data, the notice at collection must include a do not sell link. Businesses cannot force consumers to waive their rights.
Australian companies employ more than 15,000 Californian residents across 83 different industries, according to IT association ISACA.
"The expansive reach of the CCPA and scope of data it covers can make compliance feel daunting to many," comments ISACA Privacy Group member David Bowden.
To help educate businesses about the CCPA, global technology firm ISACA prepared an audit program and whitepaper designed for audit and privacy professionals.
The audit program helps professionals to discover how effective their practices are, as well as ongoing CCPA compliance management. ISACA also provides guidance for dealing with data breaches and security incidents.
"Having a comprehensive audit program is an incredibly valuable tool for guiding through these intricacies, avoiding repercussions and assuring compliance," adds Bowden.
ISACA states, "By following the detailed testing steps outlined in the accompanying program spreadsheet, auditors can help organisations mitigate business impacts through three key elements:
- Strong data classification supporting identification and location of consumer data
- Consistent private data methodology ensuring that third-party vendor handling of
- private data mirrors that of the entity
- Agile project management and solid change management programs
To provide additional context, ISACA has also published Privacy: Beyond Compliance, a white paper that explores the current state of privacy as it relates to compliance, ethics and humanity.