While some people may not think much about the security of their data on the Internet, a growing number of us are becoming concerned. On the heels of the European data crackdown with GDPR in 2018, California passed a new data policy: The California Consumer Privacy Act (CCPA), A.B. 375.
The impact of the California Privacy Act for associations and other entities that collect information online is still being evaluated since the law’s implementation in 2020. Still, associations that collect, store, and use personal data should pay attention to CCPA compliance regulations.
Whether or not your association gathers information from members in California is irrelevant. Sooner or later, similar legislation is coming to your state, and prior preparation can save you from numerous headaches.
Is the sudden surge of interest in online data security warranted? And if so, why is it coming to a head at this point in time? Understandably, the tech world is nervous about the power it holds with data collection, especially after recent data breaches in the news at Target, Cambridge Analytica, Equifax, and others.
With sensitive personal information at stake, including financial account information, a growing number of Internet users are demanding higher standards, more transparency, and tighter personal control over their own data and how entities use it. If data breaches can happen to large corporations, how vulnerable are local businesses and associations?
In a press release from lawmakers who sponsored the CCPA compliance legislation, they affirm, "The collection of our information combined with data breaches has raised concerns from Internet users worldwide." Without a doubt, some of your association members are among those concerned.
According to the Harvard Business Review, the CCPA compliance law:
“Gives consumers the legal right to ask businesses and organizations for the types and categories of personal information being collected. It also requires any entity that collects data to disclose the purpose for collecting or selling the information as well as the identity of the third-party organizations receiving the data. Consumers can also request data be deleted and initiate civil action if they believe that an organization has failed to protect their personal data.”
Surprisingly, pieces of AB 375 are similar to Europe's General Data Protection Regulation. The passage of GDPR was at least partially driven by increasing worries over companies such as Google and Facebook and how they handle users’ personally identifiable information.
In fact, an even stricter measure was proposed to go before California voters. But after intense negotiations, industry leaders relented to allow California lawmakers to enact a bill that was more acceptable.
What is the impact of the California Consumer Privacy Act for associations? Maybe nothing, for now. Although the law only applies to California residents, much broader implications are not far away. Most major businesses, associations, and organizations have clients or members in California, from whom they have collected personal data.
Those that do must either align their global data protection practices with the CCPA compliance law or enact two completely different systems: one for California and one for the rest of the world. Given the cost and utter insensibility of maintaining dual policies, every entity that collects personal data will have to comply with the new law in its final form.
Some companies, including Microsoft, have publicly declared their intention to comply with the GDPR standard for data security everywhere in the world that they do business. Whether or not your association chooses to adopt the more stringent GDPR standards, or adhere to California’s CCPA compliance regulations, stricter data handling practices are becoming necessary.
An important part of digital transformation is making sure your association handles the personal data it collects with the utmost care. This is not just about adhering to new laws; it’s about earning and keeping the trust of your members.
Any future that does not include a strict data policy is folly. Have you taken the necessary steps for successful digital transformation, including the creation of a stricter data collection and use policy to meet CCPA compliance requirements? If not, it's time you make a plan.