california consumer privacy act Archives - Zasio

Data Minimization is Good Information Governance

Zasio — Fri, 05 Apr 2024 14:25:16 +0000

The California Privacy Protection Agency issued its first-ever enforcement advisory on April 2, reinforcing that data minimization is a founding principle under the California Consumer Privacy Act. In the memo, the agency underscores that covered businesses should apply the data minimization principle to every purpose involving the collection, use, retention, and sharing of consumer personal information. The memo was prompted by concerns that businesses are asking consumers for excessive and unnecessary personal information in connection with consumer data deletion requests.

As the CCPA’s enforcement memo highlights, data minimization reduces the risk of unintended data access, is part of good data governance, and businesses can reduce risk exposures by regularly evaluating how they collect, use, retain, and share personal information. The memo further provides a few thought exercises to help organizations examine and apply the data minimization principle in some common consumer data rights requests contexts. Questions organizations should often ask include: Do we really need more information than we already have to achieve our purpose? What are the possible negative impacts from collecting and using the information we control? And what additional safeguards are available to help address the potential for negative impacts?

At Zasio, we help organizations make data minimization a foundational part of not only their personal information processing, but throughout their records and information practices. Good information governance requires organizations think about how they collect, use, retain, and share not just personal information, but all records and information.

Good information governance requires organizations to frequently ask themselves questions like (i) are your business units being precise or overbroad in their records and information collection and retention, (ii) what records and information in your domain no longer have business or legal value and are ripe for disposal, and (iii) what additional safeguards can we apply? Having a well-vetted and consistently followed records and information management policy and records retention schedule, routinely updating these documents, and ensuring functions like IT, security, and privacy, are all fundamentally represented in your IG program, will help make data minimization an intrinsic part of your organization’s information governance.

Consistently following the data minimization principle is integral to managing records and information risks, allowing it to spend more time on producing the innovations that will allow it to thrive.

Disclaimer: The purpose of this post is to provide general education on Information Governance topics. The statements are informational only and do not constitute legal advice. If you have specific questions regarding the application of the law to your business activities, you should seek the advice of your legal counsel.

The post Data Minimization is Good Information Governance appeared first on Zasio.

California Strengthens Online Privacy Landscape with Child-Specific Legislation

Zasio — Thu, 17 Nov 2022 20:57:04 +0000

California recently became the first state to enact legislation governing the profiling and processing of personal information gathered from children online.[1] The California Age-Appropriate Design Code Act (CAADCA) becomes law on July 1, 2024, and builds upon the state’s current privacy legislation.[2] The law applies to any business that provides an online service, product, or feature that children are likely to access and meets one or more of the following three criteria: (1) has gross revenue above $25 million; (2) buys, sells, or shares the personal information of 100,000 or more consumers or households; or (3) derives 50 percent or more of its revenue from selling or sharing consumer personal information.[3]

What Requirements Do Businesses Have?

To be CAADCA compliant, businesses must complete a data protection impact assessment, which must identify the purpose of the online service, product, or feature, how it uses children’s personal information, and the risks of material detriment to children that arise from the business’s data management practices.[4] Covered businesses must complete this DPIA by July 1, 2024.[5] Any identified risk of material detriment to children from the covered businesses’ information management practices must be documented and mitigated or eliminated in accordance with a timed plan.[6] Also, a covered businesses’ privacy settings must provide a “high level of privacy” unless the business can show a compelling reason that different privacy configurations are in the bests interest of the child.[7]

Additionally, a covered business must not:

Use personal information of a child that the business knows or has reason to know is materially detrimental to the child’s health or well-being
Collect a child’s precise geolocation information without providing an obvious sign to the child for the duration of the collection of the geolocation information
Collect, sell, share, or retain personal information that the business does not need to provide an online service, product, or feature with which a child is actively and knowingly engaged. [8]

What Are Businesses Required To Provide To Consumers?

Covered businesses must provide three things. [9] First, they must provide privacy information such as terms of service and policies. These must be provided in concise and clear language that is suited to the age of children that are likely to access the online service or product. [10] Second, if the online service or product allows a parent or guardian to monitor the online activity or track a child’s location, an obvious signal must be provided to the child when the child is being monitored or tracked. [11] Third, a covered business must provide tools to help children—and if applicable, parents or guardians-report concerns and utilize privacy rights. [12]

What Are The Penalties For Not Complying?

A covered business that violates the CAADCA is subject to a civil penalty of no more than $2,500 per affected child from negligent actions. Penalties go up to no more than $7,500 per affected child for intentional violations. [13] The CAADCA is enforced by the California Office of the Attorney General, and there is no private right of action for violations of the law. [14]

Conclusion

The number of privacy laws across the United States continues to increase. Navigating comprehensive data privacy laws is already a difficult task, and a topic-specific privacy law that applies only to children, —such as the CAADCA—only adds to the complexity that businesses can face when it comes to compliance. More than ever, it is important for businesses to stay informed of the shifting legal landscape and be proactive about complying with new data privacy requirements.

[1] Don Thompson, California’ First With Law Protecting Children’s Online Privacy, Los Angeles Times (Sept. 15, 2022), https://www.latimes.com/business/story/2022-09-15/california-first-with-law-protecting-childrens-online-privacy.

[2] Cal. Civ. Code § 1798.99.31 (d) (2023).

[3] Cal. Civ. Code § 1798.99.31 (a) (2023); Cal. Civ. Code § 1798.140 (d) (2023), see Cal. Civ. Code § 1798.99.30 (a) (2023).

[4] Cal. Civ. Code § 1798.99.31 (a)(1)(A),(B) (2023).

[5] Cal. Civ. Code § 1798.99.33 (a) (2023).

[6] Cal. Civ. Code § 1798.99.31 (a)(2)(B) (2023).

[7] Cal. Civ. Code § 1798.99.31 (a)(6) (2023).

[8] Cal. Civ. Code § 1798.99.31 (b) (2023).

[9] See Cal. Civ. Code § 1798.99.31 (a)(1) (2023).

[10] Cal. Civ. Code § 1798.99.31 (a)(7) (2023).

[11] Cal. Civ. Code § 1798.99.31 (a)(8) (2023).

[12] Cal. Civ. Code § 1798.99.31 (a)(10) (2023).

[13] Cal. Civ. Code § 1798.99.35 (a) (2023).

[14] Cal. Civ. Code § 1798.99.35 (d) (2023).

The post California Strengthens Online Privacy Landscape with Child-Specific Legislation appeared first on Zasio.

Changes to the California Consumer Privacy Act of which Consumers Should be Aware

Zasio — Wed, 16 Jun 2021 20:45:53 +0000

Data privacy regulations have been a hot topic in the ever-changing discussion of consumer privacy. So far in 2021, 27 bills have been proposed in states which seek to implement new or change existing data privacy laws.[1] By comparison, only two state-level bills were introduced in all of 2018.[2]

One of those 2018 bills was the California Consumer Privacy Act (CCPA), a wide-reaching statute designed to enhance online consumer privacy for California residents.[3] On November 3, 2020, just nine months after the CCPA became enforceable,[4] California voters passed Prop 24 (also known as the California Privacy Rights Act or “CPRA”), which contains several significant changes to the CCPA.[5] However, businesses still have some time to study and adapt to these changes. The CPRA will only apply to personal information collected by a business on or after January 1st, 2022, and the CPRA does not become operative law until January 1st, 2023.[6] While not yet effective, there is no doubt the CPRA enhancements to the CCPA will be very impactful. Among other things, the CPRA changes what entities are required to comply with the CCPA and also establishes the California Privacy Protection Agency.[7]

CPRA Changes to Regulated Entities

To be regulated under the CCPA, a “business” as defined under California law must satisfy at least one of the following three conditions: (1) has annual gross revenue above twenty-five million dollars; (2) alone or in combination is involved in the buying, selling, or sharing of personal information of fifty-thousand or more consumers, households, or devices; or (3) derives fifty percent or more of its annual revenue from selling consumer’s personal information.[8]

The CPRA makes three fairly significant changes to these jurisdictional conditions.[9] The first is that the numeric threshold of “fifty thousand or more consumers, households, or devices” will be increased to one hundred thousand.[10] The second is that devices will no longer be considered when calculating the jurisdictional threshold.[11] The third is the addition of the phrase “or sharing” to regulate entities that derive fifty percent or more of their annual revenues from selling or sharing personal information.[12] In other words, entities will no longer be able to avoid compliance by claiming that more than fifty percent of their annual revenue comes from sharing information, and not selling it.

Creation of The California Privacy Protection Agency

Currently, the CCPA only allows individuals and the California Attorney General to bring claims alleging CCPA violations.[13] Despite the California AG having the authority to bring claims, though, that office is only equipped to handle a handful of cases per year.[14] Section 24 of the CPRA creates the California Privacy Protection Agency,[15] which will not only administer and enforce actions involving the CCPA but also promote public awareness of online security and provide guidance to consumers and businesses regarding their rights and duties under the CCPA.[16] The creation of an agency funded with ten million dollars to issue sanctions to companies that violate the CPRA should lessen the burden that is currently placed on the California Attorney General.[17]

Conclusion

The CCPA and CPRA have placed California at the forefront of state online consumer privacy laws. Given the large number of California residents (roughly one in eight U.S. residents live there) and businesses subject to these laws’ reach, the CPRA no doubt will increase the CCPA’s already profound impact on only consumer privacy protection. Time will tell the impact California’s approach will have on how other states create and change their consumer privacy laws. Such legislation likely has the impact to cause a ripple effect of creating guidelines as to what entities are governed as well as the creation of enforcement agencies. Contact Zasio today to see how our innovative products and services can help you remain compliant.

[1] David McCabe and Cecilia Kang, As Congress Dithers, States Step In to Set Rules for the Internet, N.Y. Times (May 14, 2021), https://www.nytimes.com/2021/05/14/technology/state-privacy-internet-laws.html.

[2] Id.

[3] See Daisuke Wakabayashi, California Passes Sweeping Law to Protect Online Privacy, N.Y. Times (June 28, 2018), https://www.nytimes.com/2018/06/28/technology/california-online-privacy-law.html.

[4] Id.

[5] See Cal. Legis. Serv. Proposition 24 (West 2020).

[6] Id.

[7] Id.

[8] See Cal. Civ. Code § 1798.140(c)(1)(A–C) (West 2020).

[9] See Cal. Legis. Serv. Proposition 24 (West 2020).

[10] Id.

[11] Id.

[12] Id.

[13] See Cal. Civ. Code § 1798.150–155 (West 2020).

[14] Greg Bensinger, A Privacy Measure That’s Hard to Like, N.Y. Times (Oct. 28, 2020), https://www.nytimes.com/2020/10/28/opinion/california-prop-24-privacy.html.

[15] Cal. Legis. Serv. Proposition 24 (West 2020).

[16] Cal. Legis. Serv. Proposition 24 (West 2020).

[17] Greg Bensinger, A Privacy Measure That’s Hard to Like, N.Y. Times (Oct. 28, 2020), https://www.nytimes.com/2020/10/28/opinion/california-prop-24-privacy.html.

Author: Brandon Tuley, JD, CIPP/E

Analyst / Licensed Attorney

The post Changes to the California Consumer Privacy Act of which Consumers Should be Aware appeared first on Zasio.

US Privacy Laws & RIM — Recent Developments

Zasio — Thu, 07 Jan 2021 21:43:32 +0000

Privacy may very well be the fastest-growing area of law so far in the 21^st century. While the US, at the federal level, has resisted a broad privacy law similar to the GDPR, momentum is steadily gaining for privacy legislation at the state level. This blog explores US privacy law’s recent developments from a records and information management (RIM) perspective.

I. Recently Enacted Privacy Legislation

The number of new bills introduced in 2020 broadly regulating privacy illustrates the subject’s popularity. In 2020 there were more than 20 privacy bills introduced at the state level in the US.[1] Federally, there were dozens of bills and discussion drafts introduced during the last two sessions of congress.[2] While most of the recent broad privacy bills met their demise in legislative committees, here are some of the ones that survived and became law.

California’s Privacy Rights Act (CPRA)

The biggest development in US privacy law in 2020 was the passage of the CRPA by ballot initiative during the November election. The CPRA amends the California Consumer Privacy Act (CCPA) in major ways. Here is a summary of these changes:

New Privacy Authority Created: The CPRA creates the California Privacy Protection Agency (CPPA) and grants it the authority to enforce the act by making rules and investigating non-compliance.[3]
Creates New Sensitive Personal Information Category: The CRPA provides stricter requirements for sensitive PI, with stricter use and disclosure provisions than regular PI, including Consumers’ ability to restrict use and disclosure for some purposes. Examples of sensitive PI include social security numbers, identification numbers from identification cards such as passports and licenses, financial account information, race, ethnic origin, religion, and genetic information, and precise location information, among others.[4]
Expanded Rights for Consumers: In addition to their ability to restrict the use of sensitive PI, consumers have several new and expanded rights under the CRPA. These include new rights to correct inaccurate PI, expanded rights to delete PI from third parties, and expanded/modified rights to know, opt-out, notice of collection, and request deletion of PI.[5]
Revised Regulated Party: The CRPA expands regulated business activities to include parties receiving PI. The CCPA only included parties who buy, sell, or share PI. The CPRA also expands regulated business activities by revising the deriving at least 50 percent of income from selling PI threshold to include profits from sharing PI. However, the CPRA excludes many small businesses previously covered under the CCPA by increasing the threshold number of consumers or households from 50,000+ to 100,000+.[6]
PI Retention Changes: CPRA has some retention changes similar to requirements in the GDPR. Under the CPRA, businesses now are prohibited from keeping PI unless it’s reasonably necessary to meet a disclosed purpose. Further, businesses must specify the criteria used to determine the retention period for PI categories or the retention period itself at the time of collection.[7]

Like the CCPA, there is a window before the CPRA becomes effective, allowing businesses time to implement compliance measures. The CPRA will become effective on January 1, 2023.

Maine Act to Protect the Privacy of Online Customer Information (35 M.R.S. 9301)

Maine passed a privacy act in 2019, restricting the collection, retention, use, disclosure, sale, or access to customer PI by broadband internet access services. This act provides exceptions, including consent, providing services related to the purpose for collection, direct advertising, and several others. It also includes requirements for security and protection of consumer PI lawfully collected.[8]

Nevada Amended Security of Information Maintained by Data Collectors and Other Businesses (Nev. Rev. Stat. Ann. 603A)

Nevada revised its PI security law by enhancing requirements for state government controls in the “collection, dissemination and maintenance” of PI.[9]

II. U.S. Privacy Law Trends Leading Into 2020

The year 2020 highlighted an ongoing trend in U.S. privacy laws. For reference, the following includes a summary of additional privacy laws generally applicable to businesses and employers that impact PI retention:

Illinois Biometric Information Privacy Act (740 ILCS 14/)

Section 15 of this law on “Retention; collection; disclosure; destruction” requires private entities possessing biometric identifiers to have a retention schedule specifying disposition “when the initial purpose for collecting or obtaining such identifiers or information has been satisfied or within three years of the individual’s last interaction with the private entity, whichever occurs first.”[10]

Maryland: COMAR 09.12.22.01

This law from Maryland requires employers to retain PI medical information “only for the time needed to accomplish the purpose for access.”[11]

New York Stop Hacks and Improve Electronic Data Security Act (SHIELD Act): NY CLS Gen Bus 899-aa and 899-bb

The SHEILD Act requires businesses owning or licensing computerized data containing PI to dispose of the PI “within a reasonable amount of time after it is no longer needed for business purposes by erasing electronic media so that the information cannot be read or reconstructed.”[12]

Texas: Tex. Bus. & Com. Code 503.001

This Texas legislation requires persons possessing biometric identifiers of individuals collected for a commercial purpose to “destroy it within a reasonable time, but not later than the first anniversary of the date the purpose for collecting the identifier expires.”[13]

Utah: Utah Code Ann. 34-46-203

Utah’s latest enacted privacy legislation requires employers to destroy information collected during a hiring process within “two years after the day on which the applicant provides the information to the employer if the employer does not hire the applicant.”[14]

Washington: Rev. Code Wash. 19.375.020

This recent Washington law requires that possessors of biometric identifiers collected for commercial purposes retain them for “no longer than is reasonably necessary to… provide the services for which the biometric identifier was enrolled.”[15]

Federal Children’s Online Privacy Protection Rule: 16 CFR 312.10)

This rule by the US Federal Trade Commissions requires operators of websites or online services to retain PI collected from children for “only as long as is reasonably necessary to fulfill the purpose for which the information was collected.”[16]

Conclusion

The above is just a sampling of privacy laws and many other US privacy laws generally regulate businesses and specific industries. If you need help strategizing how privacy requirements impact your RIM program, Zasio Consulting is here to help, contact Zasio.[17]

[1] Arizona (SB1614, HB2729), California (CPRA passed), Hawaii (HB 963), Illinois (SB2263, SB2330, HB5603), Maryland (HB0249, HB0784, HB1656), Minnesota (HF 3936), Nebraska (LB746), New Hampshire HB1236), New Jersey (A2188, A3255), New York (S224, S5642), South Carolina (H4812), Virginia (HB473), Washington (SB6281), Wisconsin (AB870, AB871, AB872).

[2] DATA Privacy Act (H.R.8749), Privacy Office Enhancement Act (H.R.5678), Consumer Online Privacy Rights Act (S.2968), Privacy Score Act of 2020 (H.R.6227), Social Media Privacy Protection and Consumer Rights Act of 2019 (S.189), Privacy Bill of Rights Act (S.1214), Protecting Education Privacy Act (H.R.2724), Moving Americans Privacy Protection Act (S.1302), Passenger Privacy Protection Act of 2019 (S.1206), Genetic Information Privacy Act of 2019 (H.R.2155), Secure Data and Privacy for Contact Tracing Act of 2020 (H.R.7472), Consumer Data Privacy and Security Act of 2020 (S.3456), Online Privacy Act of 2019 (H.R.4978) to name a select few.

[3] The California Privacy Rights Act (CPRA) Section 24. https://oag.ca.gov/system/files/initiatives/pdfs/19-0021A1%20%28Consumer%20Privacy%20-%20Version%203%29_1.pdf

[4] ID at sections 10 and 13.

[5] ID at sections 3A, 5-12.

[6] ID at section 14

[7] ID at sections 4, 12(7)

[8] Act to Protect the Privacy of Online Customer Information (35 M.R.S. 9301). https://www.mainelegislature.org/legis/bills/getPDF.asp?paper=SP0275&item=9&snum=129

[9] Amended Security of Information Maintained by Data Collectors and Other Businesses (Nev. Rev. Stat. Ann. 603A) Section 210. https://www.leg.state.nv.us/NRS/NRS-603A.html#NRS603ASec210

[10] Illinois Biometric Information Privacy Act (740 ILCS 14/) Sec. 15 (a). https://www.ilga.gov/legislation/ilcs/ilcs3.asp?ActID=3004&ChapterID=57

[11] COMAR 09.12.22.01 (C). http://www.dsd.state.md.us/comar/comarhtml/09/09.12.22.01.htm

[12] NY CLS Gen Bus 899-bb (2)(b)(ii)(C)(4). https://www.nysenate.gov/legislation/laws/GBS/899-BB

[13] Tex. Bus. & Com. Code 503.001 (c)(3),(c-1). https://statutes.capitol.texas.gov/Docs/BC/htm/BC.503.htm

[14] Utah Code Ann. 34-46-203 (2). https://le.utah.gov/xcode/Title34/Chapter46/34-46-S203.html?v=C34-46-S203_1800010118000101

[15] Rev. Code Wash. 19.375.020 (4)(b). https://app.leg.wa.gov/RCW/default.aspx?cite=19.375.020#:~:text=RCW%2019.375.020-,Enrollment%2C%20disclosure%2C%20and%20retention%20of%20biometric%20identifiers.,identifier%20for%20a%20commercial%20purpose.

[16] 16 CFR 312.10. https://www.ecfr.gov/cgi-bin/text-idx?SID=d2d4616077fe505e154978fae9519ff3&mc=true&node=pt16.1.312&rgn=div5#se16.1.312_110

[17] https://www.zasio.com/consulting-services/

Disclaimer: The purpose of this post is to provide general education on information governance topics. The statements in this article are informational only and do not constitute legal or other professional advice. If you have specific questions regarding the application of the law to your business activities, you should seek the advice of your legal counsel.

Author: Rick Surber, CRM, IGP

Senior Analyst / Licensed Attorney

The post US Privacy Laws & RIM — Recent Developments appeared first on Zasio.

Using Information Governance to Comply with California’s New Privacy Act

Zasio — Tue, 26 Jun 2018 21:13:07 +0000

Data privacy continues to be a hot-button issue. Several factors contribute to the recent flurry of global legislative activity. These include rising reports of security breaches that compromise personal information, lack of visibility into what personal information is collected, and limited control for owners to determine how information is used. The United States is no exception. Due to a lack of centralized formal legislation on data privacy, efforts to change are mounted at the industry, federal, and state levels.

In recent months, Louisiana, Vermont, and Colorado have passed amendments to their existing data breach and notification laws. The changes range from expanding the definition of personal information to regulating activities of data brokers. Amid these changes, a proposed initiative in California titled “The California Consumer Privacy Act of 2018” is receiving a lot of attention due to its breadth and potential impact nationwide.

The California Consumer Privacy Act of 2018 was an initiative backed by privacy advocates that sought to provide consumers with visibility into and control over personal information collected and sold by businesses. The measure faced substantial opposition from the tech industry. Despite this, its supporters announced that they had received enough signatures to qualify for the November ballot. On Thursday, June 21, 2018—before the Secretary of State completed the signature verification process—a tentative agreement was announced whereby the initiative would be withdrawn in exchange for the passage of an alternative bill, the “California Data Privacy Protection Act.” But, there is still uncertainty because both houses must pass the bill and it must be signed into law by the governor by June 28, 2018. If this deadline is not met, the initiative will move forward for vote in November.

While the framework of the initiative and the bill contain similarities, there are critical differences. Key changes include the:

threshold for covered businesses
scope of personal information
ability to request personal information be deleted and exceptions to that right
opt-out and anti-retaliation provision
number of penalties (decrease)
number of exemptions (increase)

While the state of privacy in California is unclear, from an information governance perspective, some universal steps can help achieve compliance. Read on to learn about a few of these steps.

Know Your Information

The piecemeal approach to privacy in the United States can make compliance difficult because of variances in the laws. One key difference is often in the definition of personal information (and any noted exemptions), which dictates what information the covered entity can collect, store, and use. Accordingly, it’s critical to understand the scope of coverage and then map the flow of personal information to discharge both obligations and accountability effectively.

In this case, because of the uncertainty of the state of the privacy law in California, the scope is undecided. However, both the initiative and the bill lay out a definition of personal information, along with exemptions based on coverage under existing laws (e.g. protected or health information subject to the Health Insurance Portability and Accountability Act). This definition sets the guardrails for the personal information framework, which can be used to conduct a gap analysis for existing programs or, if initializing in response to the proposed initiative or bill, to create the foundation for a new program.

Identify New Records

Besides records that contain personal data, there are typically records associated with privacy-related activities. These records are not explicitly called out but are largely inferred. This leaves their exact nature and the extent of records unique to each covered entity. Once identified, retention schedules must be assessed to find any existing record series that govern over its retention or if new records must be created and assigned retention.

Consider that under both the initiative and the bill, a covered entity must respond to a “verifiable consumer request.” The steps for verification will be based on the rules and procedures as set by the Attorney General. However, this consists of either a request submitted through a password-protected account while the consumer is logged on or, where no account is maintained, a way for the covered entity to authenticate the consumer’s identity. This process is further complicated by the fact that an agent of the consumer can make a request. Consumers can even request on behalf of a minor child. Accordingly, operational records developed to comply may include procedures for how to verify consumer identity, scripts for verbal or electronic requests, the capture of the requests, and confirmation of delivery or other response, to name a few.

Furthermore, as these records do not have a defined retention period within the initiative or the bill, they will need to be addressed with knowledgeable stakeholders. When the operational need for retention aligns with an existing record series, it’s ideal to use the existing series. However, be mindful of those records that contain personal information before you determine the retention period. If you can’t align the retention, you might need to create of a new record series.

Identify Applicable Legal Requirements

It is not uncommon for data privacy laws to contain exemptions from the law or exceptions from limitations to retention based on a general caveat (e.g. unless provided by another law). In this case, while neither the initiative or the bill contains a specific retention period for personal information or related operational records, there are exemptions. Hence, to properly discharge its obligations, these other laws must be reviewed to determine the scope of coverage and compliance.

Even where the operational records are not identified or covered, there may be other overlapping laws that define retention based on broad categories. Therefore, determine the jurisdictional scope and survey laws to ensure assigned retention or records handling processes related to personal information management are compliant.

Timely Dispose of Personal Information

The more personal information you manage, the more you need to track and account for. Otherwise, you might experience loss or mishandling of information, or even become a target for security breaches. To reduce exposure, monitor and audit personal information to make sure it is disposed of properly. This helps ensure information isn’t retained beyond the use for which it was collected. If subject to retention for longer based on a legal requirement, retain it for no longer than that period. Also, keep in mind that disposal applies to all copies and duplicates, regardless of format. Use a data map to understand the flow of personal information and develop a plan for disposition.

Conclusion

While this article focused on managing personal information citing to commonalities from the California initiative and bill, the pointers are universal to adapt in this area of law. As you identify or reassess your compliance plan, it is critical to understand the scope of personal information collected, used, and stored. Your compliance plan should be supported by good records management practices to assure that records are accounted for, and timely disposed of in line with legal requirements or operational needs, with specific care to reassess the retention of those records that contain personal information. Finally, continue to monitor and audit on a regular basis to stay compliant moving into the future.

The post Using Information Governance to Comply with California’s New Privacy Act appeared first on Zasio.