Potential Implications of the California Consumer Privacy Act (CCPA) for Insider Risk Programs

All organizations have to balance insider risk management and employee privacy. Organizations should aim to monitor activity while maintaining employees’ trust and privacy based on organizational risk appetite, culture, and compliance needs. Despite the lack of a comprehensive, federal privacy regulation like the European General Data Protection Regulation (GDPR), states such as California are instituting their own privacy mandates. State-based protections can have wide-spread impact, causing many organizations to rethink or change their insider risk management practices.

This blog post reviews the general framework of the California Consumer Privacy Act (CCPA), describes specific implications for insider risk management, and provides recommendations to prepare insider risk programs to mitigate concerns before the CCPA takes effect.

How the CCPA Protects Consumers and Employees

California first enacted the CCPA in 2018 to provide the state’s consumers a variety of privacy rights to protect their personal information collected by businesses. The act gives California residents the rights to

know what personal data is being collected about themknow whether their data is sold or disclosed and to whomprohibit the sale of personal dataaccess their personal datarequest a business to delete their datanot be discriminated against for exercising their privacy rights

The act applies to any organization that does business in California and satisfies at least one of the following:

annual gross revenue of more than $25 millionbuys, receives, or sells the personally identifiable information (PII) of more than 50,000 consumers or householdsearns more than half of its revenue from selling consumer PII

California extended these consumer rights to employees in the passage of the California Privacy Rights Act in November 2020. This act goes into effect on January 1, 2023. As a result, CCPA protections will be extended to include California employees, specifying obligations regarding data collection and usage by employers:

notify, at the time of collection, employees, contractors, and applicants of the categories of information they collect and how they


This article is purposely trimmed, please visit the source to read the full article.

The post Potential Implications of the California Consumer Privacy Act (CCPA) for Insider Risk Programs appeared first on Carnegie Mellon University's Software Engineering Institute Blog.

This post was originally published on this site