加州消费者隐私法案 (CCPA)California Consumer Privacy Act (CCPA)

CCPA 概述CCPA overview

加利福尼亚州的消费者隐私法案(CCPA)是美国的第一项全面隐私法律。The California Consumer Privacy Act (CCPA) is the first comprehensive privacy law in the United States. 它为加利福尼亚消费者提供了各种隐私权限。It provides a variety of privacy rights to California consumers. 由 CCPA 管控的企业将对这些使用者有很多义务,包括披露、常规数据保护条例(GDPR)-如使用者数据主体权限(Dsr)、用于某些数据传输的 "自愿退出" 以及 "选择加入"对未成年人的要求。Businesses regulated by the CCPA will have a number of obligations to those consumers, including disclosures, General Data Protection Regulation (GDPR)-like consumer data subject rights (DSRs), an 'opt-out' for certain data transfers, and an 'opt-in' requirement for minors.

CCPA 仅适用于在加利福尼亚开展生意的公司,其中满足以下一个或多个条件:(1)的年收入超过 $25000000,或(2)从来自加利福尼亚消费者个人的销售收入中获取年收入超过50% 的公司。信息,或(3)每年购买或共享超过50000个加利福尼亚消费者的个人信息。The CCPA only applies to companies doing business in California which satisfy one or more of the following: (1) have a gross annual revenue of more than $25 million, or (2) derive more than 50% of their annual income from the sale of California consumer personal information, or (3) buy, sell or share the personal information of more than 50,000 California consumers annually.

CCPA 将于 2020 年 1 月 1 日生效。The CCPA goes into effect on January 1, 2020. 但是,由加利福尼亚律师常规(AG)强制执行将于2020年7月1日开始。However, enforcement by the California Attorney General (AG) will start on July 1, 2020.

加利福尼亚州的 AG 将强制实施 CCPA,并且将有能力发出不合规性罚款。The California AG will enforce the CCPA and will have power to issue non-compliance fines. CCPA 还提供了仅限于数据泄露的私有操作权限。The CCPA also provides a private right of action which is limited to data breaches. 私人诉权规定,每位消费者在每个事件中受到的损失可能介于 100 美元到 750 美元之间。Under the private right of action, damages can come in between $100 and $750 per incident per consumer. 加州司法部长还可在整体上实施 CCPA,可就每次违规征收不超过 2,500 美元的民事罚款,就每次故意违规征收 7,500 的的民事罚款。The California AG also can enforce the CCPA in its entirety with the ability to levy a civil penalty of not more than $2,500 per violation or $7,500 per intentional violation.

Microsoft 和 CCPAMicrosoft and the CCPA

对于在加利福尼亚开展业务的商业客户,Microsoft 将作为 "服务提供商",与我们的在线服务和专业服务产品有关。For commercial customers doing business in California, Microsoft will be acting as a 'service provider' with respect to our Online Services and Professional Services offering. 在线服务条款(OST)和 Microsoft 专业服务数据保护附录(MSDPA)的条款已经满足 CCPA 中服务提供商的要求,通常足以允许客户继续传输数据在线服务。The terms of the Online Services Terms (OST) and the Microsoft Professional Services Data Protection Addendum (MSDPA) already meet the requirements for Service Providers under the CCPA and are generally sufficient to permit customers to continue to transfer data to our Online Services. 因此,客户无需进行其他合约更改即可将 Microsoft 作为 CCPA 下的服务提供商。As such, no additional contractual changes are required for customers to be able to rely on Microsoft as a Service Provider under the CCPA.

在 OST 中设置时,Microsoft 符合其提供的在线服务的所有法律和法规,其中包括 CCPA。As set out in the OST, Microsoft complies with all laws and regulations applicable to its provision of the Online Services, which would include the CCPA.

Microsoft 范围内云服务Microsoft in-scope cloud services

使用 Microsoft 产品和服务时,如何为你的 CCPA 合规做好准备How you can prepare for your CCPA compliance when using Microsoft Products and Services

若要为 CCPA 做好准备,请执行以下几个步骤:Here are a few steps you could take to get ready for the CCPA:

  • 作为 CCPA 隐私计划的一部分,开始利用合规性分数中的 GDPR 评估。Start leveraging the GDPR assessment in Compliance Score as part of your CCPA privacy program.
  • 建立一个过程,以使用数据主体请求工具有效响应数据主体访问请求(DSARs)。Establish a process to efficiently respond to Data Subject Access Requests (DSARs) using the Data Subject Requests tool.
  • 设置标签和策略,使用 Microsoft 信息保护服务来发现、分类、标记和保护敏感数据。Set up label and policies to discover, classify & label, and protect sensitive data with Microsoft Information Protection.
  • 使用电子邮件加密功能进一步控制敏感信息。Use email encryption capabilities to further control sensitive information.

常见问题解答Frequently asked questions

CCPA 将如何影响我的公司?How will the CCPA affect my company?

CCPA 对 Californians 的许多权限都与 GDPR 提供的权限相似,其中包括泄露和数据主体权限(DSR)请求,例如访问、删除和可移植性。Many of the CCPA’s rights afforded to Californians are similar to the rights the GDPR provides, including the disclosure and data subject right (DSR) requests, such as access, deletion, and portability. 因此,客户可以查看我们现有的 GDPR 解决方案,以帮助他们解决其 CCPA 合规性问题。As such, customer can look to our already existing GDPR solutions to help them with their CCPA compliance.

若要开始您的 CCPA 旅程,您应重点关注信息的发现,确定个人信息的共享方式、控制其使用方式、保护方式以及将正式的数据泄露响应程序设置为正确的方式。To begin your CCPA journey you should focus on Discovery of information, determining how personal information is shared, governing how it is used, how it is protected and having a formal data breach response program in place.

GDPR 与 CCPA 之间有何区别?What are the differences between GDPR and CCPA?

两者存在诸多差异。There are many differences. 更容易着重关注相似之处,包括:It’s easier to focus on the similarities, including:

  • 透明度/泄露义务Transparency/disclosure obligations,
  • 访问、删除和接收数据副本的使用者权限Consumer rights to access, delete, and receive a copy of data,
  • "服务提供商" 的定义,类似于 GDPR 如何定义具有类似合同义务的 "处理器",以及Definition of 'service providers' that is similar to how GDPR defines 'processors' with a similar contractual obligation, and
  • 包含 "控制器" 的 GDPR 定义的 "业务" 的定义。Definition of 'businesses' that encompasses the GDPR definition of 'controllers'.

CCPA 中的最大区别是,允许从数据销售到第三方(使用 "销售" 广泛定义以包括共享数据以进行重要考虑)的核心要求。The biggest difference in CCPA is the core requirement to enable an opt-out from sales of data to third parties (with 'sale' broadly defined to include sharing of data for valuable consideration).

根据 CCPA 的规定,公司必须落实哪些权利?What rights must companies enable under the CCPA?

CCPA 需要管控企业来收集、转移和销售个人信息,以及其他一些内容:The CCPA requires regulated businesses that collect, transfer, and sell personal information to, among other things:

  • 在信息收集之前就收集类别和收集目的告知消费者。Provide disclosures to consumers, prior to collection, regarding the categories and purposes of collection.
  • 提供与收集的个人信息的来源、业务用途和类别相关的隐私策略中更详细的披露,包括如何将这些类别出售或转移到其他实体。Provide more detailed disclosures in a privacy policy regarding the sources, business purposes, and categories of personal information that is collected, including how those categories are sold or transferred to other entities.
  • 为你已收集的特定个人信息启用 DSR 权限、删除和可移植性。Enable DSR rights of access, deletion, and portability for the specific pieces of personal information that has been collected by you.
  • 启用允许使用者选择不销售使用者数据的控件。Enable a control that will permit consumers to opt out of the sale of the consumer’s data. 但是,将允许转移到免除实体(如服务提供程序)。However, transfers to exempt entities, such as service providers, will be permitted.
  • 对于未成年人,在16下启用自愿加入过程,以便不会在不活跃的情况下向销售人员提供个人信息的销售。For minors, under 16, enable an opt-in process so that no sale of the minor’s personal information can occur without actively opting-in to the sale.
  • 确保未就消费者行使其在 CCPA 下的任何权利歧视该消费者。Ensure that consumers are not discriminated against for exercising any of their rights under CCPA.

CCPA 如何适用于儿童?How does the CCPA apply to children?

  • 针对未满 13 岁的儿童,CCPA 引入了与美国《儿童在线隐私保护法案》(COPPA) 相符的家长同意义务。CCPA introduces parental consent obligations consistent with The Children's Online Privacy Protection Act (COPPA) for children under the age of 13.
  • 对于13到16岁之间的儿童,CCPA 将强制实施新的义务,以从儿童获得自愿同意。For children between 13 and 16 years old, CCPA imposes a new obligation to obtain opt-in consent from the child.

使用 Microsoft 合规性分数评估风险Use Microsoft Compliance Score to assess your risk

Microsoft 合规性分数Microsoft 365 合规中心中的一项预览功能,旨在帮助你了解组织的合规情况并采取措施帮助降低风险。Microsoft Compliance Score is a preview feature in the Microsoft 365 compliance center to help you understand your organization’s compliance posture and take actions to help reduce risks. 设置合规性分数后,从 "模板" 下拉菜单中选择预配置的CCPA 模板,以帮助组织满足此法规的要求。After setting up Compliance Score, select the pre-configured CCPA template from the Template drop-down menu to help your organization meet the requirements for this regulation.