Tag Archives: data management

California Consumer Privacy Act (CCPA)

California Consumer Privacy Act (CaCPA)

California Consumer Privacy Act (CCPA)

Compliance Management toolkit addresses California Consumer Privacy Act (CaCPA) and GDPR

CaCPA Goes into effect January 1, 2020 and places new burdens on companies that do business with California residents.  This includes both domestic and international organizations.  Who must comply with CaCPA?

  • Companies that serve California residents and have at least $25 million in annual revenue
  • Companies of any size that have personal data on at least 50,000 people
  • Companies that collect more than half of their revenues from the sale of personal data

Once California regulators notify a company that they are in violation of CaCPA, companies have 30 days to comply. If the issue isn’t resolved, there’s a fine of up to $7,500 per record. In addition, the law allows for penalties of $100 to $750 per consumer per incident, or actual damages, whichever is greater.

What must companies must do to comply

One of the first things they must do is add a clearly visible footer on websites offering consumers the option to opt out of data sharing. If that footer is missing, consumers can sue. One shortcut that companies can follow if they do not share data is to put a comment in a common footnote that data is not shared.

Data covered by CaCPA

The law originally covered employee data in addition to consumer data.  That was amended to exclude employee data.  Companies must allow consumers to choose not to have their data shared with third parties. That means that companies must be able to separate the data they collect according to the users’ privacy choices. A California consumer has the right to find out what information a company collects about them.

After the access request, a company has 45 days to provide them a comprehensive report about what type of information they have, was it sold, and to whom, and if it was sold to third parties over the past 12 months, it must give the names and addresses of the third parties the data is sold to.

The data covered by the law includes:

  • Identifiers such as a real name, alias, postal address, unique personal identifier, online identifier IP address, email address, account name, Social Security number, driver’s license number, passport number, or other similar identifiers
  • Characteristics of protected classifications under California or federal law
  • Commercial information including records of personal property, products or services purchased, obtained or considered, or other purchasing or consuming histories or tendencies
  • Biometric information
  • Internet or other electronic network activity information including, but not limited to, browsing history, search history and information regarding a consumer’s interaction with a website, application or advertisement
  • Geolocation data
  • Audio, electronic, visual, thermal, olfactory or similar information
  • Professional or employment-related information
  • Education information, defined as information that is not publicly available personally identifiable information (PII) as defined in the Family Educational Rights and Privacy Act
  • Inferences drawn from any of the information identified in this subdivision to create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, preferences, predispositions, behavior, attitudes, intelligence, abilities and aptitudes.

Compliance Kit Options   Order Industry Standard Compliance Kit

See also

Please follow and like us
error

Record Classification

Record Classification, Management, Retention, and Destruction Policy Updated

Record Classification was just added to the Data Management Policy.  The purpose of the addition was to reduce the sensitive data footprint to meet the most recent rigorous compliance standards,

Record Classification and Management

Record Classification, Management, Retention, and Disposition Policy can be acquired separately or with the CIO IT Infrastructure Policy Bundle.

Most other data classification tools don’t go the extra mile. Their technology only looks for specific terms in your documents; it doesn’t provide the intelligence you need to secure the personal information of your customers or employees. Janco’s Record Classification, Management. Retention and Disposition Poicy provides visibility into where sensitive files are, what content is inside, who can access the files and who actually uses them.

Included with the policy is a crisp definition of data classification.

The foundation of any good record management program is developing a consistent records classification system across the organization.

While there are many record classification systems, one recommended best practice is a three-tier classification based on business function, record class, and record type.

The first step toward developing  a records classification system is taking an inventory or a comprehensive and accurate listing of locations and contents of all records within the organization.

The second step is grouping the records in the inventory according to business functions, record class, and record type:

  • Common business functions include operations, finance, legal, marketing, human resources, and others.
  • The top-level business functions are broken down into record classes. For instance, two record classes of record-function accounting are accounts payable and accounts receivable.
  • Record types are a further subdivision of record classes. For instance, the accounts payable record class can be further broken down into accounts payable aging reports, accounts payable distribution reports, cash disbursement reports, and other categories.

Read on Record Classification, Management, Retention, and Disposition Policy

Order Record Management PolicyDownload Selected Pages Record Management policy

Other Posting of a similar nature

Please follow and like us
error