The California Consumer Privacy Act (CCPA) — the toughest privacy law in the United States — will go into effect January 1, 2020, with enforcement beginning no later than July 1, 2020.
The CCPA, like the existing EU General Data Protection Regulation (GDPR), broadly expands the rights of consumers and requires companies within scope to be significantly more transparent about how they collect, use, and disclose personal information. For compliance leaders, such as chief privacy officers (CPOs) and data protection officers (DPOs), the act represents an opportunity to operationalize privacy and make it a strategic priority for gaining competitive leverage.
Who Should Care About CCPA?
In brief, anyone who has customers or employees in California should care. In greater detail, the CCPA affects companies that:
- receive personal information from California residents either directly or indirectly, and that annually generate revenue in excess of $25 million;
- receive the personal information of 50,000 or more California residents, devices, or households annually (directly or indirectly), or derive at least 50% of revenue from the sale of personal information about California residents.
While the effective date is January 1, 2020, consumers have the right to request the categories of personal information collected by companies within the preceding 12 months. This means that companies will need the records of personal information they collect dating back to January 1, 2019. Organizations that are affected by the CCPA and fail to comply risk being assessed fines of between $2,500 and $7,500 per violation.
CCPA Best Practices
To prepare for the impending regulation, CPOs and DPOs should secure a budget, develop the key processes, and evaluate tools that will help their organizations build and implement a compliance plan. The plan will need to include a comprehensive data inventory describing which business processes are in the scope of CCPA and where the gaps are in compliance processes. Compliance leaders should adopt the following best practices to help achieve CCPA compliance:
● Transparency in Policy Language. By January 2020, businesses must provide consumers with specific information pertaining to the new regulation. For example, consider when a consumer downloads a ride-sharing application. The user will receive a privacy prompt asking if they are OK with the company collecting certain information and must hit "accept" or a similar call-to-action button to either designate they understand the policy or that they would like to read the full policy. In addition, the app must also update those prompts to explain how the CCPA affects what rights users have related to privacy protection, and how those rights differ from pre-CCPA rights. To comply with this mandate, organizations must update privacy notices at least annually by describing how CCPA statutes affect data collection and users' privacy options, ensure those notices meet the transparency requirements of any applicable laws, and formally document that process.
● Looping in Data Processors. Businesses are now required to report consumer data deletion requests from a company's database to its service providers, which are also liable for civil penalties under the CCPA for noncompliance. If a retail company collects user data, it must also ensure it has evaluated and determined that any customer relationship management (CRM) service provider with which it works is compliant with CCPA regulations. Service providers must also ensure they have the requisite privacy processes and mechanisms in place to support companies that use their services.
● Recourse for Data Requests. Consumers will have the right to obtain, within 45 days, their personal information from a business. Consumers also have the right to request their personal information in a format that allows them to transmit it to another organization. To ensure compliance, organizations will need to review how they currently respond to data access requests, assess how well those processes work, address compliance gaps, and find ways to automate, scale, and simplify manual compliance-related processes.
● Data Deletion Standards. Consumers may request that businesses delete their personal information. Companies will need processes and mechanisms to respond to consumer deletion requests, identify where the data resides, and demonstrate to the customer that the information has been removed from their databases.
CCPA Is Not GDPR
Businesses that complied with GDPR by creating comprehensive data governance practices, records of processing, and individual rights procedures will have a head start on dealing with CCPA. However, under the CCPA, all companies that fall under the CCPA jurisdiction — whether or not they are affected by GDPR — will need to enhance their data management practices and expand their individual rights processes by the January 1, 2020, deadline. Companies that get ahead of CCPA compliance will not only minimize the risk of sanctions but be able to carve out a greater competitive edge over companies that lag behind.
- 7 Privacy Mistakes That Keep Security Pros on Their Toes
- Will the US Adopt a National Privacy Law?
- Data Privacy Manifestos: Competitive Advantage or the Start of Something Bigger?
- A Glass Ceiling? Not in Privacy
Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.