California’s Consumer Privacy Act (CCPA) goes into effect on January 1, 2020. While that may seem far away, organizations only have a matter of months to align with the legislation to avoid risking non-compliance fines. CCPA compliance is a concept that businesses outside of the state need to be concerned about as well – if you see “California” and assume it doesn’t apply to you because your company isn’t located in the state, you may need to think again.
Does CCPA apply to you?
Like GDPR, CCPA will have wide-ranging effects that stretch beyond the state’s borders. Any for-profit company that is based in or does business in the state of California must comply if they:
- Generate a gross revenue of $25 million or more per year
- Obtain or share personal information of 50,000+ individuals
- Gross at least half the company’s annual revenue by selling California residents’ personal information
If you’re responsible for complying with CCPA, it’s important not to wait to implement the privacy regulation at your organization. The changes necessary for compliance could completely overhaul your operations, and CCPA compliance isn’t something you can achieve overnight. Even if your company doesn’t have any locations or employees in California, the Act may still apply to activities that are conducted outside of the state but involve Californian’s data. The law also applies to any entity that controls or is under the control of a business that meets the criteria or shares common branding, which includes subsidiaries and parent corporations.
The purpose of CCPA
CCPA is designed to restore a sense of autonomy over personal data and privacy by giving Californians more ownership, control, and security. The Act enables California residents to request that a business delete any of their personal information collected from them and refrain from selling their data. Certain exceptions apply to the rules, and the law contains broad definitions and verbiage that leave room for future amendments, but the Act is a significant step in granting consumers a right to their own privacy and information.
Under the new legislation, Californians will be able to access information including the data a business has collected about them, how they use and discloses that data, and more. Personal information, as defined by the new law, may include identifiers such as names and phone numbers, biometric information, geolocation, employment information, education information, and internet/network activity, amongst others.
Why CCPA compliance matters
With CCPA, companies are under more pressure than ever to review their data collection, management, and sharing policies to make adjustments. Should a consumer use their right to be forgotten and request their data be deleted, companies must comply, or they risk incurring fines of millions of dollars in both civil penalties and statutory damages. More specifically, penalties for non-compliance may incur fees of up to $7500 per violation. If 1,000 consumers requested their data be deleted, but your company failed to follow through, you’re immediately looking at $7,500,000.
While many companies believe they don’t need to be concerned about CCPA because they prepared for GDPR before it went into effect, note that just because your organization is GDPR compliant doesn’t automatically mean you meet CCPA compliance requirements, too.
How to make sure you’re ready for CCPA
As you prepare for January 1, 2020, review your current privacy policies and consider a code of conduct. In the code, you can outline privacy expectations for the entire organization, stakeholders, and any third-party outsourcers. A crisis management plan can reduce the impact of data breaches, address regulations, and ensure confidence in your organization. Taking the time to review your policies now can play an essential role in your organization’s success and devotion to privacy in the future.
- What, why, and how data is being collected and stored
- How consumers can request their data or the deletion of their data
- The method organizations use to verify the identity of the consumer submitting a request
- How consumers can opt out of the sale of their data to third parties
Preparing for CCPA – where to begin
Because sensitive information is present in areas beyond just an organization’s Salesforce instance or Microsoft Outlook network, companies must ascribe to a culture of data sensitivity and craft a code of conduct when tackling their plans of action for preparing for CCPA. Not only will a thorough review of your privacy policies and procedures give you a chance to audit the efficacy of your policies, but it enables you to become a leader in privacy excellence, instilling trust and confidence among not only your employees but your customers as well. Start with an internal audit, and from there, develop new organization-wide privacy plans and procedures that align with CCPA compliance requirements.
While CCPA compliance requires substantial time and effort, the good news is that if you start now, there’s still time to prepare.