How to Use the U.S. Privacy Laws for Privacy Compliance

If you have undertaken the Compliance Questionnaire, you may be wondering what further steps you can undertake to ensure your compliance and improve your cyber resilience.

While the United States do not have a consolidated federal privacy law, it currently applies its privacy regulation on a state level and on an industry sector level. The California Consumer Protection Act (‘CCPA’) is the most prominent privacy laws that addresses consumer data privacy. Your business will need to comply with this regulation if:

  • Your for-profit business collects and controls California residents’ personal information
  • Conducting business by having presence in the state of California, with the annual gross revenue larger than $25 million (this includes having parents and/or subsidiaries of companies established in California)
  • Your business receives and disclose the personal information of 50,000 or more California residents, households or devices each year
  • Your business makes 50% or greater annual revenue from selling California residents’ personal information

Personal Information” under CCPA is defined broadly, including “any information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”

Examples of personal information includes:

  • Social Security Number
  • Passport
  • Professional or employment related information
  • Geolocation data
  • Biometric data
  • Educational information
  • Internet activity (e.g. purchase histories)
  • Inferences drawn from the data above / (“probabilistic identifier” whereby the data given produces more than 50% chance of identifying someone)

What is your business’ obligations to comply?

  • Integrate a visible opt-out or notice form (“Do Not Sell My Personal Information”) in your business’ website
  • Notify the customers their rights to request for copies of their personal information
  • Provide comprehensive privacy notices to consumers when their personal information is being collected
  • Inform customers how that personal information is used
  • Inform customers which categories of personal information is being ‘sold’ to third parties in the last year

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: