תקן אבטחת מידע
ISO 27001
CCPA California Consumer Privacy Act
The California Consumer Privacy Act (CCPA) is a data privacy law that went into effect on January 1, 2020, in the state of California, United States.
The law gives residents the right to know what information is being collected about them and their children, their right to receive details of the sources of the information and how their information is planned to be used. They also have the right to monitor the transfer of personal information and its sale to third parties and even to demand that companies stop selling/transferring personal information to third parties.
Who is bound by the regulations?
The CCPA applies to businesses that meet at least one of the following criteria:
1. Annual revenue of over $25 million.
2. Collecting or processing personal information of over 50,000 California residents.
3. At least 50% of the business's revenue comes from the sale of personal information.
Key consumer rights under CCPA
1. Right to know – Consumers are entitled to receive information about what data is collected about them and how it is used.
2. Right to erasure – Request the deletion of personal information, subject to certain conditions.
3. Right to object to the sale of data – Consumers can request that their details not be sold to third parties.
4. Right to access information – Receive a copy of the personal information that the organization holds.
5. Right to equality in service – Protection from discrimination based on the exercise of privacy rights.
California Privacy Law Compliance Process
1. Mapping and characterization of the organization - data mapping: types of information collected, from whom it is collected, where it is stored and where it is transferred, purposes of using the information and the basis for justification.
2. Updating procedures and policy documents: privacy policies, purposes of use, data processing agreements (DPAs) with suppliers and partners.
3. Establish a mechanism for exercising rights - access, correction, deletion, objection to the sale/sharing of information.
4. Control appropriate security measures: encryption, limited access, authorization controls. Documentation of events and consumer requests.
5. Training of support handling teams as required.
6. Regular monitoring.