California Consumer Privacy Act (CCPA) Agency Checklist
Privacy Privacy Privacy
The world has forever been changed since the introduction of technologies such as cellphones, the internet, and social media. These innovations have made the world more interconnected than ever before which in turn has its ups and downs. On the good side, people have unparalleled access to information, goods, and services from any location in the world. However, the same access is available to those people who may want to use its capabilities with malicious intent. This poses a threat to anyone and everyone who uses or shops online. Measures must be taken to prevent your data from being breached and protect yourself while online.
Data has been a valuable commodity for quite some time. Companies use it to better understand consumer habits, analyze new markets, and reach potential customers whether they want to be contacted or not. Having masses of data at your disposal can allow a company to distance itself from competitors lacking the same access. Privacy has been overlooked for years but consumers are waking up to the reality that their data is precious and should be protected when possible.
Some regulations have been put into place over the years but the newest installment has just arrived: the California Consumer Privacy Act or CCPA. This newly rolled out tape will impact businesses worldwide through a domino effect but the efforts will be felt most close to home here in the US (California). Let’s take a deeper look into the CCPA (Read the Complete Legislation Here) and create a checklist to help you and your business prepare for this new legislature.
California’s New Privacy Law – Who? What? When? Where? Why?
Assembly Bill – 375 (CCPA) permits any California consumer to demand to see any information a company has saved on them and the complete list of third-party sites or vendors this information has been shared with. The regulations also allow consumers to take necessary action in a court of law if their rights have been violated which previously was not an option.
What is actually being protected here? The CCPA lists 5 main rights that it seeks to protect for consumers. Let’s dive in.
- The right to know what personal information is being collected about them
- The right to know whether their personal information is sold or disclosed and to whom
- The right to say no to the sale of personal information
- The right to access their personal information
- The right to equal service and price, even if they exercise their privacy rights
The law went into effect on January 1, 2020 (Happy New Year!)
All companies that serve California residents and have at least $25 million in annual revenue must comply with the law. In addition, companies of any size that have personal data on at least 50,000 people or that collect more than half of their revenues from the sale of personal data, also fall under the law. Companies don’t have to be based in California or have a physical presence there to fall under the law. They don’t even have to be based in the United States.
But, what if you don’t live in California? Well, at the very least, there is added transparency: Businesses must now notify consumers what personal information they collect about you and why. And some companies may give people all across the US the same opt-out and deletion rights they give to Californians because it’s easier to roll out a widespread change.
When browsing with/without cookies enabled, this popup may appear on sites during your browsing sessions. This is the company’s notification that they are collecting and storing your personal data. Some may give you the option to decline but also may forbid you from viewing the site thereafter. This will vary site to site in the early stages of the law (especially outside of California).
This answer may seem obvious – to protect customer data and personal information. However, the roots of the legislation dig deeper than that. In layman’s terms, people will have “the right to know” and “the right to say no.” Informing customers of their rights online was a driving force for the bill. The internet is still a relatively new frontier for many Americans. It is a grey area where traditional rules and regulations may fall short. The CCPA is the United States’ first set of rules governing the collection, distribution, and deletion of data. The European Union implemented a similar data protection legislation a couple of years back called the General Data Protection Regulation (GDPR).
The CCPA seeks to define what data is being collected and for what purpose to allow consumer’s the option to participate in business with the companies that are collecting their data.
What Should Businesses Do?
- Understand the Thresholds – If your business has revenues under $25M per year then you will not be forced to comply. This means SMB businesses should be in the clear. Note that even if your company is not based in California, the law still applies to you for any customer you come in contact with that has a California IP address. If your business earns more than 50% of its revenue from selling customer data (any amount) or sells over 50,000 individual records each year then you will have to comply with the CCPA. While the qualifications to be affected by this bill might exclude your business, it doesn’t mean you shouldn’t prepare (growing to $25M should be in your plans).
- Don’t Panic – The regulations will not be enforced until July 1, 2020, and even then it’s unclear how they will be enforced and to what extent. Many businesses have begun restructuring their site to comply with the new laws while others believe they will not be affected and have chosen to do nothing. Companies that use data solely for internal observation and analysis will not be affected as much as those who are constantly selling the data for profit. Depending, where you fall on the spectrum, it will affect your strategy moving forward. With that said, here at Trellis we encourage our clients to develop both a short term and long term strategy for the CCPA. More regulations are sure to follow allowing for increased enforcement of the law which could mean heavier fines and beyond.
- Lack of Awareness = Lack of Compliance – Many businesses are confused about the new regulations and the associated penalties. With fines up to $7,500 per violation, these penalties can add up quickly and be quite harmful if no preparation is done. We encourage businesses to focus on ensuring customer data is secure. Security breaches in 2019 were the highest they have ever been. Customer data is valuable and hackers know this. Implementing stringent security practices should be the first step when devising your online privacy strategy. All data should have endpoint protection and be encrypted to start. Other things to look at include information security posture, personal data processing, and honoring of access requests.
- Don’t fall behind the curve – Use this as an opportunity to optimize the security of your company. Additional legislature is coming in California and Nevada is following too. The snowball effect will quickly sweep across the other states as well. Pro-privacy advocates are even pressuring congress to get involved.
Preparing Your Business
- Conduct an internal review to confirm what personal information is being collected by your business.
- Understand the scope of personal information collected, how it is used, whether it is being sold or not, and to whom.
- Review internal policies and procedures as to the scope and purpose of such collection of personal information.
- Prepare procedures to ensure your organization can respond to consumer requests about their data
- Prepare training materials to train internal members of your business in charge of customer data
- Conduct third-party audits on service providers with access to your consumer personal information
- Implement technological solutions that can process consumer requests. See Below
Steps Towards Compliance
- Create Accessibility Methods
- Data Governance
- Accessibility Methods
- Verification System
- “Opt-Out” Button
- Obtain Consent from Minors
The CCPA has already gone into effect so the time is now for businesses to reevaluate their consumer data collection processes and begin preparing to comply with new regulations moving forward. Customer data is at the pinnacle of its importance and businesses should realize this sooner than later. Compliance may be cumbersome and annoying but it is a necessary step to protect your business over the next 5-10 years. Protecting customers should become a priority once again for businesses across the world and the CCPA is one of the first steps in that direction.