The California Consumer Privacy Act (CCPA) was signed into law in June 2018. Its introduction into California law reminds many of GDPR and the increasing awareness of privacy by both the government and consumers.
The CCPA has put stringent requirements on those who fall within its jurisdiction (we’ll let you know later who that is). Compliant companies must be able to tell consumers what data they have on file, what it’s used for, and how to request its deletion. You cannot store California consumers’ data and use it in secret anymore.
California is among the first to enact a major privacy law; it likely won’t be last. The U.S. government is considering a federal level law in the wake of GDPR and CCPA. If you’re not ready to be open about how you use consumer data, then you’re not ready for CCPA or later privacy laws that pop up.
Although the CCPA requirements don’t go into effect until January 1, 2020, companies need to start preparing now to be compliant. First, you’ll need to know who is required to be compliant with CCPA and how to do it.
According to a recent survey by PwC, only half of US businesses expect to be compliant with the law by the deadline. This is a concerning statistic. Businesses may not be agile enough to update their systems quickly in response to changing requirements. Others may not know if they need to be compliant or not. Some may simply think they can bolt it on later when it becomes a real problem.
Attitudes like these can be dangerous. Some required changes may not be large, but others affect how applications are designed and architected from the start. The bottom line: put compliance on your immediate roadmap. Now is the time to begin making the necessary changes to be compliant with CCPA.
Before you begin your journey to compliance, you must understand who the law applies to. An article on CCPA from the New Jersey Law Journal says it best, so I’ll reproduce it here:
“Briefly, the CCPA applies to for-profit entities that both collect and process the Personal Information of California residents and do business in the State of California. However, a physical presence in California is not a requirement, and it appears that making sales in the state would be sufficient. Additionally, the business must meet at least one of the following criteria in order for the CCPA to apply:
- The business must generate annual gross revenue in excess of $25 million,
- The business must receive or share personal information of more than 50,000 California residents annually, or
- The business must derive at least 50 percent of its annual revenue by selling the personal information of California residents.
Nonprofit businesses, as well as companies that don’t meet any of the three above thresholds, are not required to comply with the CCPA.”
[Source: New Jersey Law Journal]
If you’re unsure if you meet these criteria, then the first step is to find out. Search through your data and your business processes to see if you store or receive the information of more than 50,000 residents and if you are currently selling this information.
Determining if the CCPA applies to you is important because of the legal damages you may incur if a data breach happens or you’re found to be non-compliant. If your data is breached, California consumers have a private right of action. This means they can sue you for damages if their information gets out, either in a class action or individual lawsuit.
Consumers can be awarded between $100 and $750 in statutory damages per incident, even if damages from the incident can’t be proven. This is in addition to the fines of between $2,500 and $7,500 based on whether violations were intentional.
If you want to read the fine print yourself, head over to caprivacy.org to find out more.
If the CCPA applies to you, how do you become compliant? There are several steps to add to your roadmap to compliance.
Find out where your data is. You can’t keep data on your users and not know where it is stored and for what purpose. Create a map of where consumer data is kept and what purpose it is kept. Also, document what you do with it once it’s stored.
Build the ability to gather the data on demand and delete it. CCPA grants consumers the right to know what data you have on them and the right to ask for its deletion. You have to build the functionality now that will allow you to gather the data for one person, show it to them, and delete it completely if necessary. Use Robotics Process Automation (RPA) tools to make the job a little easier. New applications must be built with this requirement in mind.
Update your website privacy policy. Your website privacy policy must be updated to include what data you gather from users of your site and for what purpose. You’ll need to outline steps for the user on how to request their data be deleted.
Add a “Don’t Sell My Data” link. The CCPA requires compliant companies to have a link on their homepage for a consumer to explicitly tell you not to sell their data. You’ll need a way to mark that user in your systems so you don’t accidentally sell their data when they’ve opted out.
Add protections for minors. The CCPA protects minors from having their information sold without their permission. Consumers under 16 must explicitly opt-in to having their information sold. A parent or guardian’s consent is required for users under 13.
With these clear steps, you’ll be on your way to CCPA compliance by the 2020 deadline. But you must start now. Some of these activities will require large amounts of time to complete, so you’ll likely miss the deadline if you wait any longer.
We have tons of experience helping companies become compliant with regulations like GDPR and CCPA. Contact us if you need help in determining whether your systems are ready for CCPA.