Click on the blocks available below to check out our privacy programs based on your requirements and jurisdiction
California Consumer Privacy Act (CCPA)
The California Consumer Privacy Act (CCPA), a first of comprehensive data-privacy legislations
in the US, was introduced in 2018 and has been enforced from January 1, 2020 by the State of
California. The legislation seeks to establish the procedure for identifying, managing, securing,
tracking, producing and deleting consumer privacy information so as to protect the privacy
rights of the users.
CCPA includes within its ambit the entities that do for-profit business in the territory of California involving the personal data of the Californian resident where the business meets one of the thresholds:
- annual gross revenue over US $25 Million;
- receive or disclose the personal information of 50,000 or more California residents;
- or derive 50 percent or more of their annual revenues from selling California residents’ personal information.
This legislation operates for the protection of person data entailing a broad interpretation, including items such as phone numbers, social security numbers, biometric information, and Internet Protocol (IP) addresses.
Rights of Consumers
CCPA seeks to provide a strong legal protective cover to consumers through their enumerated rights. Firstly, the consumers have the
- Right to know: The consumers have the right to know the details of the personal information being collected by the business entity along with the source and purpose of such collection. The consumers have the right to access such personal information which has been collected by way of requests to the entity that must be disclosed to them free of charge within 45 days.
- Right to delete: The consumers have a right under the CCPA to ask the business entity to delete the personal information in their possession pertaining to the consumer with certain exceptions such as information that must be retained for legal and regulatory purposes.
- Right to op out of sale: The consumers must also have access to know if and to whom their personal information is sold or disclosed/shared. In such a case, the consumers further have the right to opt out of such a sail subject to certain exceptions.
- Right to non discrimination: Any business entity cannot deny the rights of any individual to not be treated equally. They cannot discriminate against a consumer, who has exercised their CCPA rights.
CCPA puts various obligations on the business entities to ensure protection of personal information from unrestrained transfers and processing.
- They are also obligated to ensure that consumers are provided the information relating to the processing of their personal data.
- In the interest of maintaining transparency consumers must be notified before or at the point of data collected that the permission is being asked to collect the specified data.
- The consumers have to be granted the right to access the personal information that the entity holds.
- It is the obligation of the entity to lay down the procedure for making requests and similarly, an opt out option for “Do Not Sell My Personal Information” must be maintained by the entity to enable the exercise of the consumer rights.
- A data Inventory has to be maintained by the entity to track data processing history.
Basis for Processing of Data under CCPA
Under CCPA, data maybe processed for either business purposes or commercial. The general rule is that consent of the consumer is not required for collecting or using their personal information. The exception is that consent of the consumer is required when the business entity intends to sell the personal information of the consumer to a third party. In case of minors who are consumers less than 16 years of age, the guardian of the individual must grant an affirmative authorization for the sale by way of opting-in.
Corresponding to the obligations laid down under CCPA, there is a provision for the imposition of penalties for accountability and compliance under the regulation. The strictness of the penalties varies with the intent, frequency and severity of the non-compliance by the entity. CCPA mandates maximum civil penalties of $7,500 for intentional violations of the CCPA whereas maximum civil penalties of $2,500 can be ordered for unintentional violations of CCPA.
California Privacy Rights Act (CPRA)
The California Privacy Rights Act which shall be enforced on 1st of January 2023 gives the control of Data to the Data Subjects. These Rights those are conferred by the Act would play a major role in the data subject knowing the amount of data being processed, for the reason it is being processed and for the period they would be retaining it, as well as the extent to which it will be used. The key element to this is CPRA does not apply to Non-Profit Entities and other small businesses. CPRA also regulates 3rd parties who collect data from the entities who function in California. This act is also applicable on those entities that don’t function inside California but collect data of the citizens of California.
The CPRA applies to:-
- Have a gross annual revenue of over $25 million;
- Buy, receive, or sell the personal information of 50,000 or more California residents, households, or devices; or
- Derive 50% or more of their annual revenue from selling California residents’ personal information.
Rights of Consumers
- Right to delete – The customer can ask the business to delete the personal data collected by them.
- Right to limit use of data / Right to Opt-out– The consumer can opt out from sharing his data or can limit the use of his data.
- Right to Access the data- The company needs to provide this data to the consumer on their demand as soon as possible. Right to Alter the data collected by the company.
- Right to know- The consumer has a right to know what data is shared and with whom. Consumer shall have the right to request that a business that sells or shares the consumer’s personal information, or that discloses it for a business purpose, disclose to that consumer.
- The company needs to Map Data Collection, Flow and Processing activities. The company needs to maintain strong track of the data that is being collected and used.
- The company needs to provide elaborate Privacy Notices to the consumers about the data they are collecting and the purpose for which they would be using it. They also need to provide information if such data is being shared, with whom and for what purpose.
- The company needs to maintain Security Practices for preventing breach.
- The company needs to maintain a procedure to process any request by the data subject immediately.
Basis of processing data
Consent is the key factor under CPRA for processing of Data. CPRA establishes that consent should be undisputed and clear. The company should clearly mention the purpose of processing such data. Also the company needs to take special consent when it comes to processing special data. In case a service provider engages another person to process the personal data for the service provider, the existence of such engagement shall be notified. For the fulfillment of legal compliance obligation or in matters of special concerns such data can be processed.
Any business, service provider, contractor, or other person that violates this title shall be subject to an injunction and liable for a civil penalty of not more than two thousand five hundred dollars ($2,500) for each violation or seven thousand five hundred dollars ($7,500) for each intentional violation and each violation involving the personal information of minor consumers.
Connecticut Data Breach Law (CDBL)
The Connecticut Data Breach Law is set to be enforced on 1st of October, 2021. This law provides the same kind of protection of data and rights as that of the California Privacy Rights Act. This Law applies to Non-Profit Organization as well, thus giving wider jurisdiction to the law.
The Personal Information that have been included under the ambit of this Act are:-
- Individual taxpayer identification number
- Identity protection personal identification number issued by the IRS
- Passport number, military identification number or other identification number issued by the government that is used to verify identity
- Medical information regarding an individual’s medical history, mental or physical condition or medical treatment or diagnosis by a healthcare professional
- Health insurance policy number or subscriber identification number, or any unique identifier by a health insurer to identify the individual
- Biometric information consisting of data generated by electronic measurements of an individual’s unique physical characteristics and used to authenticate or ascertain the individual’s identity, such as a fingerprint, voice print, retina or iris image; and
- User name or electronic mail address, in combination with a password or security question and answer that would permit access to an online account.
Rights of Data Consumers
- The consumer can choose to opt-out from sharing any data. They can request the company to stop sharing their data to any 3rd party.
- The consumer can on request get all the data that the company stores related to them.
- The consumer can request the company to delete all the data related to them.
- The consumer can make corrections to the data they earlier provided to the company.
- The company should do a thorough Data assessment and should map what are the data they are collecting and what are the data they are sharing.
- They have a duty to send Data Breach Notification to State Residents, License of Personal Information and Third Party and the Attorney General about who’s Personal Data is breached or believed to be breached.
Basis of Processing of Data
The basis of Processing Data is consent. The controller has to collect data from user only after an affirmative consent in written form. The controller shall not process any sensitive data without the consent of the user. The processing of data between the processor and controller shall be governed by a contract. The data can be processed without consent for fulfillment of any legal obligation or in case there is a necessity to protect someone’s interest. However while processing such data; it needs to take care that there is no damage to be caused by the processing of such data to the interest of the consumer.
The law shall be enforced by the Attorney General of Connecticut. Civil Penalties shall be imposed for Unfair Trade Practices and Private Right of Action granted to Data Subjects.
Any controller or processor shall be liable for a civil penalty of not more than $7500 for each violation.
Virginia Consumer Data Protection Act (VCDPA)
The State of Virginia has enacted their Data Protection Law- Consumer Data Protection Act on the date of March 2, 2021. The Act shall be enforced from 1st of January, 2023. The legislation is on the framework of the General Data Protection Regulation (GDPR) and California Consumer Privacy Act of 2018 (CCPA). The law provides the individuals of the state with certain rights when their data is being collected. Such rights ensure a control over the processing of their data.
The legislation applies to those entities that conducts business in Virginia or produces products or services that are targeted to Virginia residents, and those which:-
- Annually controls or processes the personal data of at least 100,000 Virginia residents, or
- Controls or processes the personal data of at least 25,000 Virginia residents and derives over 50% of its gross revenue from the sale of personal data.
Rights of the Consumers
- To confirm the processing of personal data by the controller;
- access the personal data processed;
- To correct inaccuracies in the personal data;
- To delete personal data provided to company;
- To obtain a copy of the personal data provided to the controller;
- To opt out of the processing of the personal data for purposes of targeted advertising, the sale of personal data, or profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer.
- The company needs to do annual Data Assessment and Map the flow of data.
- They need to give maintain list of all the data they are collecting and need to provide a reason for such collection of data.
- Privacy Notices & Policies should be provided to consumers to provide the information for purpose of collected, retention and termination of processing.
- Upon selling or sharing the collected data, there needs to be appropriate safeguards in place and ensure that there are appropriate safeguards maintained by the recipient company.
- If the data is being transferred out of country, then the company should ensure that such data is safe and the company maintains strong privacy policies to avoid any breach of data.
Basis of processing of Data
The Basis of Processing Data is consent. The controller has to collect data from user only after an affirmative consent in written form. The controller shall not process any sensitive data without the consent of the user.
This law gives special focus on data mapping the procedures that are being followed to sell or share the data and also exclusively provides the Right to opt-out to the data subject unlike the CPRA and CDBL. For any violation of this act, fines upto 7500$ for each violation can be imposed.
Colorado Privacy Law (CPL)
The Colorado Privacy Act was passed on June 8, 2021 and will be enforced on July 1, 2023. The scope of the Colorado Privacy Act (CPA) is reminiscent of the CDPA and CCPA but includes a few notable differences. The CPA applies to any controller that:
- Conducts business in Colorado or produces or delivers commercial products or services that are intentionally targeted to residents of Colorado; and
- Controls or processes the personal data of at least 100,000 consumers or more during a calendar year; or
- Derives revenue or receives a discount on the price of goods or services from the sale of personal data and processes or controls the personal data of 25,000 consumers or more.
Rights of Consumers
- Right to Opt-out – The data subject can choose to opt-out from sharing any data.
- Right to Access – The company needs to provide the user with all the data that the company has related to the user on request.
- Right to Correction – The user has the right to rectify any error in the data that has been provided earlier.
- Right to Deletion – The user can opt to delete any data that they have earlier provided to the user.
- Right to Data Portability – If the user wants to transfer their data from one company to another, they can request the company to transfer their data to the concerned company.
- The company needs to map from where the data is being collected and used.
- The company needs conduct Privacy Impact Assessments from time to time to ensure that there is no possibility of breach of data of any sort.
- Data security measures need to be checked at regular intervals.
- The company needs to maintain Privacy Notices and Policies.
- Maintaining a procedure to process any request by the data subject immediately.
Basis for processing of data
The Basis of Processing Data is consent. The controller has to collect data from user only after an affirmative consent in written form. The controller shall not process any sensitive data without the consent of the user. The data being processed by the processor for the controller shall be governed by a contract. The data processing can be allowed without consent for reasons of public interest in the areas of public health but solely to that extent. The data cannot be transferred to a third party without the consent of consumer. In case of a contractual obligation, such must be notified to the consumer.
The Attorney General and District Attorneys have the exclusive authority to enforce this Act. The party would be held liable for any of the breach that happens.
We offer the following services to our clients as a part of our US Implementation Programs:
- Implementing Privacy Ecosystems
- Providing Data Protection Impact Assessments
- Providing GAP ecosystems
- Acting as a Data Protection Officer
- Data Protection and Privacy Consulting and Advisory
- Evaluating and monitoring compliance levels from a legal standpoint under various jurisdiction
- Drafting relevant agreements/ policies for securing consent, provision of notice etc.
- Suggesting security and privacy best practices, policies and standards
- Developing mitigation plan for possible privacy breaches
- Assisting with disputes under the realm of data protection/ privacy, if any
- Delivering trainings on the legal provisions to the concerned teams
Benefits of the USA Compliance Program
As part of our USA compliance program, we help you to:
- Provide compliance with the Privacy Laws efficiently and effectively.
- Recognize, Access and Strategize Personal Data within your organization
- Adapt, Improvise and leverage your existing privacy compliance in order to comply with the legislations.
- Respond to Data Subject Rights and Fulfil Business obligations under the legislations.
- Policy and Notice Management and maintain data privacy structures within the organizations.
- Provide an effective solution to all organizational requirements in privacy.
- Cost Effective solutions for privacy compliance with subject matter experts.
- Implementation of the privacy program from industry professionals with prior experience with MNC’s of US.