On June 2018, the Golden State of California passed a consumer privacy act, AB-375 called California Consumer Privacy Act (CCPA). It is the most extensive data privacy act, applicable to any organization that in any way processes the data of a California resident. Soon it will be replaced by the California Privacy Rights Act (CPRA).
The CCPA entitles consumers to know what personal information is being collected and how it is further shared to be used by third parties. Moreover, it is well within the consumers’ rights to stop any business from sharing their data and remove it completely.
How Is It Different from the GDPR?
While the GDPR has some of the most crushing requirements, such as the brief 12-hour window to report a breach, CCPA takes a broader view. It goes even further to locate and protect what constitutes personal or private data as per the GDPR.
The primary difference between the two is that GDPR is more about prior consent, while CCPA is about opting out. GDPR binds businesses to ask for consent before having a consumer’s data stored and processed. On the other hand, CCPA requires businesses to enable consumers to opt-out at any point.
It allows consumers to access every piece of personal information saved and a complete list of third parties it is shared with. Moreover, consumers have the right to sue a company for violating privacy guidelines even if there has been no breach.
Does CCPA Apply to Your Business?
CCPA applies to any business operating in California with annual revenue of at least $25 million. Additionally, any business regardless of its size, is bound to comply with the law if they handle data of 50,000+ people. Moreover, any company that makes more than half its profits by data selling also falls under CCPA.
The law isn’t exclusive to businesses with a physical presence in California or even the whole US in that reference. As long as you handle data of California residents and meet the above requirements, you better get yourself CCPA-ready.
There are numerous misconceptions that CCPA may not apply to your business if you are:
- Not directly selling data
- Already GDPR compliant
- Providing financial services
- Work on a B2B model
However, insurance institutions, agents, and other support organizations already regulated as per California’s Insurance Information and Privacy Protection Act (IIPPA) were exempted in April 2020.
7 Key Steps Leading to CCPA Readiness
Even businesses that have recently prepared for GDPR must put in much more effort on their way to CCPA readiness. It has extended on a global scale by affecting as many as 500,000+ organizations worldwide.
The enforcement has been in full swing since the start of July 2020. If your business is subject to CCPA regulations, here are a few important steps to take to become fully compliant.
Learn What Personal Data Means Under CCPA
Personal data has a broader meaning when it comes to CCPA, which as per the legislation, refers but isn’t limited to:
- Identifiable data such as name, alias, postal address
- Online identifiers such as IP address, email address
- Social security, passport, driver’s license number, or registration
- Any data described as personal information under the categories of subdivision (e) of Section 1798.80
- Data related to characteristics of legally protected classifications as per California state or US federal law. Race, religion, sexual orientation, etc.
- Commercial information such as records of purchases
- Biometric credentials
- Internet activity information such as browning history
- Geolocation data
- Identifiable employment-related data
- Personally identifiable academic information that isn’t publicly available as defined in Family Educational Rights and Privacy Act
Make it an Organizational Goal, not a Departmental
When GDPR came into full swing, many companies had to employ a Data Protection Officer (DPO) as a legal requirement. CCPA compliance requires more or less the same. Ultimately, you must assign the whole responsibility to a single authority to fulfill the specific legislative requirements.
While CCPA readiness seems like a job most suited for the IT department as it requires creating complex data inventories and juggling between data subject requests, it requires more of a holistic effort. Businesses should have a team “comprising legal, compliance, business, and technology expertise,” says Richard Harris, chair of the technology, telecommunications, and outsourcing practice at the law firm Day Pitney.
Reassess Your Existing Data Existing Data Processing Policies
CCPA is the modern paradigm of data privacy. On your way to compliance, it is critical to review your internal compliance policies to ensure they comply with CCPA requirements and update the ones that fall short. Compare the policies with internal business workflows, identify discrepancies and fill the gap.
Review Your Website Privacy Notices and Policies
Whether it’s GDPR or CCPA compliance, transparency is of paramount importance. You need to be elaborate and specific about how consumer data is used and use it the same way you said you’d use it. Make it clear for the consumers that they can opt-out at any time and even ask to get their data removed completely.
Review Third-Party Data Flows and Service Provider Agreements
Map data flows for all third parties, whether standard data storage such as Google Drive or custom data storage. It is critical to have complete knowledge of what data is being sent to the third parties, why, how it will be further used, and if it is in line with CCPA regulations.
6. Implement “Reasonable Security Practices.”
Reasonable security practices don’t necessarily mean the need for encryption as per CCPA’s security provisions. However, it does require organizations to ensure “reasonable security”. It is important to audit your existing procedures and keep your personal information safe. Be aware of your employees to learn more about risk management and analysis. In case of a data breach, organizations must be able to present sufficient documentation as proof of reasonable security controls in place.
Establish an Efficient Process for Data Subject Requests
Under CCPA, consumers have the legal right to submit a data subject request to access their data, opt-out of their data being sold to third parties, or even get it deleted. Businesses must implement a streamlined process to handle these requests promptly and with utmost priority.
“Companies should be prepared to intake and effectuate consumer access and deletion requests,” says Kandi Parsons, an attorney at law firm ZwillGen.
In a Nutshell
It will be a long and bumpy ride towards CCPA compliance that requires you to put in a lot of time, effort, and money. Non-compliance is out of the option if you want to save your business from substantial fines that may lead to severe financial and reputational loss.