Written by Anne Kimbol, Chief Privacy Officer, HITRUST
The California Consumer Privacy Act of 2018 (CCPA) is a lightning rod of controversy- receiving as much praise as criticism.
Recognizing that the effective date of the CCPA is January 1, 2020, organizations throughout the U.S. are reviewing and updating their data protection programs as required to meet the legislation’s requirements. This effort is complicated by the fact that the law’s language itself is a moving target and draft regulations are still in process.
The current version of the CCPA applies to businesses that meet certain thresholds of revenue or collection of data on individual consumers. Like the European Union’s General Data Protection Regulation (GDPR), the law would apply to businesses outside of California who collect or use personal data of California residents. This is a key component of the legislation that businesses and consumers should understand.
Consumers have the right to receive information on what data has been collected and shared, the right to opt-out of sharing of their data, access to their data, and finally, the right to have their data released. Organizations must provide consumers at least two means to opt out of sharing their information. Additionally, businesses must include on their websites a “Do Not Sell My Personal Information” link that takes the consumer to an opt-out method.
Businesses have increased requirements for descriptions online of their privacy policies to provide consumers more information on how the business uses data and how requests may be submitted.
The first set of amendments to the CCPA was passed August 31, 2018. The amendments largely clarified which laws CCPA preempts and which highly-regulated industries could continue to rely on their current regulatory regime, including data subject to the Health Insurance Portability and Accountability Act (HIPAA) and those subject to the Gramm-Leach-Bliley Act (GLBA). Organizations complying with HIPAA and the GLBA would still need to comply with the CCPA for data not covered by those laws.
The most significant changes involved enforcement of the new legislation, which is the first of its kind in the United States. While the CCPA will be effective January 1, 2020, the amendments extended the California Attorney General (AG)’s deadline for adopting regulations from January 1 to July 1, 2020 and delayed the AG’s ability to bring enforcement actions until six months after regulations are adopted or July 1, 2020, whichever occurs first.
Possible Additional Amendments
The California Legislature is currently in session, and multiple data protection bills have been filed, including three that specifically would amend the CCPA. Assembly Bill (AB) 846 would clearly state that loyalty discount programs are allowed under the law; the lack of clarity on this issue was raised repeatedly by organizations, including several large grocery store chains, during hearings held by the AG. AB 1760 would clarify the right of consumers to obtain information regarding shared data without discrimination. Senate Bill 561 would add a private right of action, would clarify that the AG may give general guidance, but not specific guidance to an individual organization, and would remove language that limits the ability of the AG to institute enforcement actions without allowing the organization a cure period.
The AG’s office has held public meetings to obtain feedback on possible regulations and clarifications that are required, but the draft regulations have yet to be released, meaning more changes may be in the wind. The AG rules are expected to, among other guidance, clarify if the CCPA applies to employee data.
HITRUST and the CCPA
The HITRUST CSF® can help organizations comply with the new demands of the CCPA now and in the future as the law evolves.
HITRUST has been involved in the CCPA process for some time now. We submitted comments to the AG’s office regarding recommendations for the regulations, including providing safe harbor to entities that have a data protection certification through a third-party assurance process, like the HITRUST CSF. We continue to monitor potential CCPA amendments and the rule-making process. Additionally, HITRUST will be releasing version 9.3 of the HITRUST CSF later this year, which will include integration of CCPA requirements into the framework and their respective mappings.
In the interim, compliance with version 9.2 of the HITRUST CSF, including both the security and privacy controls, provides a strong basis for CCPA compliance. The GDPR, which is included in v9.2, and the additional privacy frameworks used in v9.2, including the Fair Information Practice Principles (FIPPs), speak to the sort of consumer rights included in the CCPA, including the right to information on data collection, the rights to correction and deletion, and the need for strong security programs to ensure the confidentiality of personal data.
The most common complaints about the CCPA include the lack of clarity regarding the requirements and how to comply. Until more guidance is available from the California Legislature and the AG’s office, having a strong data protection program that meets the high standards of the privacy laws and related requirements in the HITRUST CSF will ensure that organizations have a solid basis on which to comply with and likely exceed the requirements of the CCPA.