On January 1, 2020, the California Consumer Privacy Act (CCPA) will go into effect. As privacy and data security is paramount to our company and the way we conduct business, we want to ensure all our clients, prospects, and partners understand the implications of CCPA and how both WizeHive and the ZengineTM platform are impacted.
At a high level, the new regulation clarifies the definition of “personal information” under California state law, sets forth the rights of California residents in regard to their data, as well as lays out how businesses who must be compliant with CCPA may collect, use, and share that data. The law establishes important disclosure requirements on the sale of personal information with clear processes for the consumer to opt out without unfair consequences.
Who must follow CCPA?
In general, CCPA is directed toward for-profit businesses and corporations that are headquartered within the state of California. However, companies that do not operate in California but do business in California or collect data about California residents would be required to follow CCPA as well, if they exceed certain revenue or transaction levels set in the CCPA.
Nonprofits are generally not subject to CCPA.
What must businesses do under CCPA?
Businesses must be clear and fair about how they collect and use consumer data. This data includes personal information (name, email address) as well as household information (physical address, number of residents in the home).
Requirements include providing notice to consumers that data is being collected before or during the actual collection, clarifying how that data will be used, creating internal procedures on how to respond and comply with consumer requests to opt-out, review data, or delete data, ensuring consumers who make requests are responded to within set-forth timeframes, and making sure the identity of those requesting review or changes is verified.
Businesses must also clearly disclose whether personal information is sold to third parties and establish detailed requirements for allowing consumers to opt out of such sales without incurring unfair consequences as well as to make requests for deletion or other matters.
If I have to follow CCPA, is Zengine compliant?
Zengine is CCPA compliant. All forms and portals can be edited to include required disclosures, provide disclaimer language about the data being collected, and allow for opt-in fields (opt-in fields are not required under CCPA, but have become popular with organizations putting an emphasis on data privacy). Administrators have access to all collected information within their workspace, and so can work with concerned consumers to review data and make any necessary changes or deletions. Audit logs can track these requests, as well as any edits or deletions made to the workspace data.
Individual companies will have to draft, approve, and conform to their own data review procedures, but Zengine can be used to track those steps.
Does CCPA require me to change how my data is stored?
CCPA does not require businesses to hold data on servers in any single geographic area. CCPA also does not require that data be encrypted. The AWS servers Zengine utilizes are based in the U.S., follow some of the highest security protocols, utilize encrypted data, and are compliant under CCPA.
Is CCPA the same as GDPR?
CCPA is similar, but not identical, to the General Data Protection Regulation, an EU-based regulation that puts restrictions around how the personal data of EU citizens can be collected, shared, and used.
The biggest differences are:
CCPA is focused on California residents and data linkable to an individual consumer or a household, while GDPR covers all EU entities (residency or citizenship not required) and focuses on personal data related to an individual only.
CCPA applies to for-profit companies only, while GDPR applies to all organizations.
Under CCPA consumers can request deletion of personal data collected by the organizations from the consumer, while under GDPR individuals can request deletion of data no matter where the information was acquired originally.
In many respects, GDPR’s regulations are stricter than those of CCPA. If your organization is GDPR compliant, you can assume you meet the majority of requirements under CCPA. That said, your processes, terms, and policies should be reviewed to ensure inclusion of all CCPA requirements.
More details about CCPA can be found here. If you have any questions about Zengine and CCPA, please contact your account representative.
This article does not serve as legal advice. Please consult with your legal team if you believe you are subject to these or any regulations.