This is a guest blog from Very Good Security.
In our last blog post about CCPA, we went into the details of California’s comprehensive privacy law, more formally known as the California Consumer Privacy Act. Coming into effect January 1, 2020, the new privacy law pertain to companies that collect data from California residents, regardless of the location of the company – both within the United States and globally.
Comparisons are often made between CCPA and Europe’s General Data Protection Regulation (GDPR), and being GDPR compliant does give you a strong foot in the door for CCPA compliance. Both CCPA and GDPR extend consumers’ rights over the information that you collect about them. These two privacy law frameworks also give people the right to request that their personal information be deleted and that people are able to restrict how their data is used.
Despite the similarities, there are several differences between the two data privacy laws. The California Consumer Privacy Act limits the consumer’s request to data collected in the prior twelve months, and GDPR requires that an organization have a business or legal justification for processing an individual’s data. In addition, GDPR applies to nearly all companies that do business in the European Union or market to citizens within the territory. Meanwhile, CCPA limits organizations that do business in the state of California and meet one of the three requirements for being subject to the law.
One of the major differences is that CCPA has requirements related to the sale of personal information belonging to California residents. Businesses who sell consumer data must allow people to opt-out of the sale of their information, and are required to include a “Do Not Sell My Personal Information” link on their website and mobile apps. This is a strict requirement, and businesses are not allowed to request that the consumer allow the business to sell their personal information for at least 12 months.
In order for your customer to be confident that their information isn’t being directed towards endpoints that result in the sale of their data, you need control over your organization’s data security. With VGS, you get flexible controls to dictate where your customer’s personal information goes, ensuring that your company acts within the boundaries set by the California Consumer Privacy Act.
How can VGS help
Both GDPR and CCPA frameworks require businesses to know where their data is and to be able to identify an individual’s (or household’s) sensitive personal information. This is especially important to comply with CCPA requirement to restrict the sale of data and not request to sell the data for 12 months.
VGS allows you to restrict the processing of personal data, whether it’s to comply with CCPA requirements or GDPR requirements. Sensitive data that passes from your customer, through your business, and into VGS systems can be shared with any approved third party.
In turn, the information can be restricted from reaching unwanted endpoints entirely. With this level of control, you can remain CCPA compliant while still utilizing the third-party services needed to run your business.
For example, if you are given personal information to provide a customer with financial advice through your app or website, you can choose for that information to be sent to various endpoints, internally as well as externally, to sell data to third parties. However, if the customer exercises their right to opt-out of data selling, VGS provides the ability to direct the sensitive personal information to only the endpoints that are required to provide functionality for your service, respecting consumers’ rights and guaranteeing total data privacy.
It is this level of flexibility that will give your customer the best experience while remaining confident in how their sensitive personal information is managed, while you avoid the monetary penalties tied to violating the California Consumer Privacy Act rules – and entirely eliminate the risk of a potential data breach.
Achieving compliance shouldn’t be a struggle; here is a simple checklist to help you harden your CCPA compliance. Check out the Developer’s guide to CCPA here.