CCPA will affect companies and organizations that fit one or more of the criteria below:
- Have annual gross revenues exceeding $25 million
- Receive, share, buy, or sell the personal information of 50,000 or more California consumers, devices, or households
- Derive half of their annual revenue from the sale of information of Californian residents
- Control or are controlled by entities that meet one or more of the criteria above and share a brand with them.
While enforcement by the attorney general’s office does not start until July 1, 2020 (due to a six month grace period), it’s best to start the CCPA compliance preparation efforts early. Besides, there is at least one aspect of the CCPA that you must comply with by January 1, 2020. It’s the consumers’ right to request any or all of their information stored in your databases.
What Is CCPA?
CCPA stands for the California Consumer Privacy Act of 2018. It’s the U.S.’s most stringent and comprehensive data privacy law. The state of California enacted the bill (AB 375) in June 2018 and later amended it (SB 1121) the following September.
CCPA gives Californians unprecedented powers to restrict the use of, delete, or view the data that for-profit organizations collect about them. They also have the right to sue should a data breach compromise their personal information.
CCPA does not replace any of California’s existing data protection laws, including:
- The Privacy Rights for California Minors in the Digital World Act
- The California Online Privacy Protection Act (CalOPPA)
- The Shine the Light Act
CCPA requires companies to provide CCPA training to all employees who handle customer data and to train them on how to assist consumers in exercising their rights.
CCPA gives Californians the right to do the following:
- View any of their data collected and stored by businesses
- Know why companies collect and store their data
- Know with whom and why companies share or sell their data
- Have companies delete their data on demand
If personal data is compromised, the affected consumers can file a civil suit through their “Private Right of Action.” The state’s Attorney General can also apply fines of up to $7,500 per intentional violation or $2,500 per violation to businesses.
How To Address CCPA As A Company
1 - Understand the Law and Its Requirements
Learn the CCPA and its thresholds to determine the extent to which it applies to your company. Beyond these thresholds, the law contains data-specific exceptions and exemptions that may narrow your compliance scope. Contrarily, it has a broad definition of personal information that may increase the scope. Include an overview of all the frameworks you comply with, and pay attention to overlapping requirements.
2 - Convene a CCPA Team
CCPA is a complex law that is best addressed by a team of compliance and risk professionals, HR leaders, legal staff, IT staff, as well as security and privacy experts. If you wish, you can go a step further and enlist a data protection officer who will oversee compliance.
3- Map Your Data and Its Flow
It’s essential to know where your information comes from, where it goes, and what form it takes. You must understand all your data assets before you achieve CCPA compliance or reply to consumer requests for access and deletion of their personal information.
4 - Review and Update Your Notices and Private Policies
The CCPA requires all affected organizations to provide Californian consumers with clear and specific privacy statements that indicate how they plan to use their data and why.
5 - Assess the Compliance of Your Third-Parties
If any of your third-party data recipients, business partners, or vendors are not CCPA compliant, you could be affected. In short, the compliance of your third-parties will help ensure yours as well.
6 - Establish CCPA Employee Training
Train all of your staff who will deal with consumers when addressing their CCPA concerns and requests.
7 - Consult Your Legal Team
CCPA is a complex law, but it contains errors, uncertainties, and inconsistencies that are best addressed by your legal counsel. Your attorney will also explain the law’s implications for your operations.
8 - Make a Compliance Checklist
The following checklist will help your CCPA compliance efforts:
- Categorize and tag all your data on Californian residents to quickly comply with their requests
- Put in place a process for quick data access and deletion
- Have an updated audit trail and document everything you do to safeguard consumer data
- Have an effective incident response plan
The Bottom Line
As businesses rush to comply with the CCPA, do not be left behind. Irrespective of your size, find out the scope of the new consumer data protection law to see whether or not it applies to you. If it does, you need to address it as a business by convening a CCPA team, mapping your data and its flow, reviewing your privacy policies, reviewing the compliance of your third parties, training your employees, and coming up with a comprehensive compliance checklist.