January 1, 2020 – the date CCPA goes into effect – is rapidly approaching, and survey results show that companies are lagging in their compliance preparation.
Gartner’s Emerging Risks Monitor Report found that accelerating privacy regulations were a top emerging risk for companies, overtaking even talent shortages and the pace of change. Another survey – conducted by TrustArc and Dimensional Research – found that only 14% of organizations are compliant with CCPA, with only 44% having started the compliance implementation process. Experts agree that CCPA is the most stringent privacy regulation to date in the United States. With company readiness being so low, many organizations are wondering how they can address the new range of compliance requirements to establish trust among customers and avoid hefty non-compliance fines.
Why organizations aren’t ready for CCPA
Many companies assume they don’t need to comply with CCPA simply because they aren’t located in California. However, even businesses that aren’t physically located in California will feel the impact of CCPA as the law applies to any for-profit organization that collects or manages personal information of California residents and (a) grosses more than $25 million annually, (b) generates 50% of revenue from the sale of customer data, or (c) buys, sells, or shares personal information of more than 50,000 consumers, households, or devices annually.
Non-compliance with CCPA can lead to civil violation fines of $2500 to $7500 for each violated record. The $7500 fine is for intentional acts of CCPA non-conformity. After a notification, organizations are granted a 30-day window to comply.
Creating a CCPA compliance roadmap
If your organization isn’t in the 14% of companies that are prepared for CCPA or the 44% who have just started the compliance process, it’s time to act. There’s still time to work on your CCPA compliance, but it’s crunch time. Even if you’re feeling confident that your organization is ahead of the curve for compliance, now is the time to review your privacy updates and ensure you’ve closed any requirement gaps. To help you prepare for CCPA, follow this five-step action plan:
- Make sure everyone is on board, especially your executive team. Compliance isn’t a simple process, and it affects multiple areas of a company, not just InfoSec or IT. You’ll need executive buy-in to obtain the staff hours and other resources – 72% of organizations plan on investing in technology to prepare for CCPA – you’ll need to prepare for the compliance deadline. If you’re having difficulty making a case for compliance readiness resources, note that failure to comply can result in significant fines and reputational damages that may take years to recover from.
- Review your data collection and management processes. Before you can make changes to how you collect, store, and sell personal consumer data, you must be aware of your current company policies. Data maps, inventories, and detailed user activity monitoring to track access to specific data in your CRM can paint a picture of your organization’s current policies and procedures around collecting data.
- Identify compliance gaps. CCPA requirements are similar to GDPR, but there are enough differences that complying with GDPR doesn’t automatically mean you’re complying with CCPA. Study CCPA requirements in detail and identify where your current policies and procedures align. By assessing your company’s current compliance posture and carefully reviewing CCPA’s requirements, you can identify gaps, enabling you to create a plan for compliance.
- Devise a compliance plan. Once you understand where you need to close gaps to meet compliance, you can develop a comprehensive roadmap with action-based tasks. Experts recommend prioritizing steps in your plan by risk level and level of effort.
- Implement your CCPA compliance plan. Begin by assigning roles to compliance team members so everyone knows their responsibilities. Check in regularly to evaluate progress and identify solutions for any obstacles. While you’re developing your program, create or update the necessary elements to meet compliance requirements, including privacy policies, privacy notices, opt-in and opt-out options, and more. Be sure to test all updates and new additions to resolve any technical difficulties before rolling out the final program. Also, evaluate vendor compliance and update any due diligence policies you have for third-party vendors. And don’t forget to include staff training in your compliance roadmap – your organization should be aware of the changes, what to expect from CCPA compliance, and the importance of customer data privacy and security.
CCPA goes into effect on January 1, 2020, but CCPA compliance enforcement is slated to begin in July 2020. Avoid being in the bottom percentage of compliance – act now and take the necessary steps to meet CCPA compliance so you can prove your dedication to customer data privacy and establish your organization as a leader in the data privacy movement.