California Consumer Privacy Act of 2018
How are you preparing?
How does it affect me?

The California Consumer Privacy Act of 2018

The California Consumer Privacy Act will take effect from 1 January 2020 and has deep parallels with the GDPR. The Act requires far higher levels of active data management than is currently the case and poses a significant compliance challenge. To be ready by the implementation deadline, companies with California consumers as customers need to take steps now.

The Act is applicable to a company doing business with California residents' data and the business falls into any of the following categories:
  • The business has annual gross revenues in excess of US$25,000,000.
  • The business deals with personal information on 50,000 or more (i) consumers, (ii) households, or (iii) devices.
  • The business derives 50% or more of its annual revenues from selling consumers’ personal information.

General Principles

Right to know

A business must provide the consumer with information on the categories and specifics of personal information that they collect, including details on its sale and disclosure to third parties.

Right to access

When requested to do so by a consumer, a business must provide a copy of the personal information that they hold on them.

Right to deletion

When requested to do so by a consumer, a business must delete personal information that they hold on them.

Right to equal service

Businesses must not discriminate against a consumer who is exercising any of their rights under the law.

Right to opt-out

Consumers must be able to opt-out from the disclosure and sale of their personal information to third parties.

How to get prepared

Data discovery and mapping

Find what data is where and to what category it belongs.

The Data X-Ray connects to your datasource in seconds and keeps track of where your data is and how it is being processed so that you can prove your compliance over time.

  • Find sensitive data immediately on cloud services that you use
  • Easily report on this to regulators, clients, and auditors

    • Data evaluation

    Determine the risk / reward balance in continuing to keep any particular piece of data.

    Once you have found where data is, you need to do something about it. The Data X-Ray includes workflow labeling tools to tag data for deletion, create issues for particular records, and find individuals across multiple datasources simultaneously.

  • Keep track of data management actions
  • Search for and remediate an invidual's data

    • Process implementation

    Ensure that processes and technology are in place to manage data appropriately and report to consumers on data usage.

    Process means that you establish a methodology and ensure that you are following that methodology over time. Ohalo can help you do both by first discussing what your privacy policies and internal data management processes should look like. We help you enforce and track those processes with the Data X-Ray data discovery and mapping tool.

  • Create a compliant privacy policy
  • Ensure that you are implementing the principles in the policy over time

    • Ongoing monitoring and reporting

    Maintain records of what you are doing so that you can prove appropriate activities over time.

    In the event of an audit or--in the worst case--legal action, it is critical that you are able to establish an audit trail of how you have been managing your data over time. The Data X-Ray automatically keeps track of this over time and this data is available in an easy to access report and periodic emails. You can also output the report data through any existing visualization or business intelligence tools that you may be using.

  • Automate data compliance trails
  • Easily prove your compliance through reporting tools