sb-nz logo
Story image

California's CCPA now enforced worldwide

31 Aug 2020

Any company that does business with the United States state of California must follow the California Consumer Protection Act (CCPA). The Act, which came into effect on 1 January 2020, only entered official enforcement on 1 July.

The Act, which protects data belonging to consumers within California, is the first law of its kind within the United States – but it also has global scope. 

The Act includes new rights to privacy, including:

  • The right to know about the personal information a business collects about them and how it is used and shared;
  • The right to delete personal information collected from them (with some exceptions);
  • The right to opt-out of the sale of their personal information; and
  • The right to non-discrimination for exercising their CCPA rights.

All businesses that deal with consumers in California must comply with the CCPA and must explain their privacy practices.

For example, businesses must comply with a ‘notice at collection’, which must show what personal information they collect about consumers, for what purposes that information is used.

Further, if a business sells consumer data, the notice at collection must include a do not sell link.  Businesses cannot force consumers to waive their rights.

Australian companies employ more than 15,000 Californian residents across 83 different industries, according to IT association ISACA.

“The expansive reach of the CCPA and scope of data it covers can make compliance feel daunting to many,” comments ISACA Privacy Group member David Bowden.

To help educate businesses about the CCPA, global technology firm ISACA prepared an audit program and whitepaper designed for audit and privacy professionals.

The audit program helps professionals to discover how effective their practices are, as well as ongoing CCPA compliance management. ISACA also provides guidance for dealing with data breaches and security incidents.

“Having a comprehensive audit program is an incredibly valuable tool for guiding through these intricacies, avoiding repercussions and assuring compliance,” adds Bowden.
ISACA states, “By following the detailed testing steps outlined in the accompanying program spreadsheet, auditors can help organisations mitigate business impacts through three key elements:

  • Strong data classification supporting identification and location of consumer data
  • Consistent private data methodology ensuring that third-party vendor handling of
  • private data mirrors that of the entity
  • Agile project management and solid change management programs

To provide additional context, ISACA has also published Privacy: Beyond Compliance, a white paper that explores the current state of privacy as it relates to compliance, ethics and humanity.

Story image
Video: 10 Minute IT Jams - Vectra AI exec discusses cybersecurity for Office 365
In Techday's second IT Jam with Vectra AI, we speak again with its head of security engineering Chris Fisher, who discusses the organisational impact of security breaches within Microsoft O365, why these attacks are on the rise, and what steps organisations should take to protect employees from attacks.More
Story image
Vectra expands NDR capabilities across all network environments
Vectra’s network threat detection and response (NDR) solution is designed to use cloud identities that track and link attacker activities and progression across all networks.More
Story image
The retailer safety guide for the world of online shopping
Are you an online retailer? This guide details the threats that you need to be aware of to keep safe in the biggest ever year of online shopping.More
Story image
DDoS attacks surge, becoming more sophisticated
After doubling from Q1 to Q2, the total number of network layer attacks observed in Q3 doubled again — resulting in a 4x increase in number compared to the pre-COVID levels in the first quarter. More
Story image
Data leakage concerns dominate cloud security perceptions - Bitglass report
How secure is the public cloud? That’s what many IT and security professionals are asking as data leakage becomes a pressing concern for organisations and their data protection strategies.More
Story image
CyberArk launches Forescout and Phosphorus integration to aid with IoT security
“Through our integration with Forescout and Phosphorus, CyberArk dramatically improves security and compliance, and alleviates the burden on IT and security teams."More