Legislative Updates

What You Need to Know about CCPA Compliance

02.14.2020

Emptech's founder, Jeff Aleixo

Author

Jeff Aleixo

CCPA compliance privacy law data protection

The California Consumer Privacy Act (CCPA) took effect on January 1, 2020, and set the bar higher for businesses that collect and share personal data. The most comprehensive data privacy law in the United States lists new consumer rights regarding collection and use of personal information, together with corresponding duties for businesses that trade in such information.

CCPA provides California residents with the ability to control how businesses process their personal information. As such, it has a significant impact on different industries and it is of highest importance for businesses to adapt their existing privacy policies and data protection efforts to achieve CCPA compliance.

What Is CCPA

In the light of the General Data Protection Regulation (GDPR) and various data breaches, CCPA aims to provide consumers with new rights in order to protect their privacy. It also gives consumers a certain amount of control over how their personal information is used.

CCPA compliance presents a number of challenges for organizations of all sizes because it allows California residents the right to learn what information a business has about them and to opt out of the information collection process. Under the CCPA, California residents can also direct businesses to eliminate personal information they currently have on them and prohibit businesses from selling their personal data to another party. In addition, this privacy bill gives consumers the right not to be subject to price discrimination based on their invocation of any of the new rights and allows them to sue companies if the privacy guidelines are violated, even if there is no breach.

Who Has to Comply with the California Consumer Privacy Act

Not all California businesses are subject to the CCPA provisions. However, the CCPA has a broad reach because it applies to for-profit entities that conduct business in California, and meet at least one of the following conditions:  

  • Have annual gross revenues in excess of $25 million,
  • Buy, receive for commercial purposes, sell, or share for commercial purposes personal information of 50,000 or more California consumers, or
  • Make at least 50 percent or more of its annual revenue from the sale of personal information.

Certain health and financial companies that are already under federal data security laws are exempt from the CCPA. Therefore, the CCPA does not apply to:

While the CCPA is limited in its application to California consumers, due to the size of this state’s economy and its population numbers, the act will effectively apply to any data-driven business with operations in the United States.

Simplify your compliance efforts with a secure electronic platform and ensure maximum security of your employees, customers, and your company’s data.

How to Achieve CCPA Compliance

Any company that collects data about California residents should start evaluating whether it is subject to new obligations and liabilities under the CCPA as soon as possible. Otherwise, they can face serious repercussions for failing to reach CCPA compliance.

Non-compliance with the CCPA can cost businesses up to $7,500 per violation. Unauthorized access to personal data, or data breaches, are also punished by the law. In the case of theft or exfiltration of data, companies are liable for fines of up to $750 per consumer per accident.

High penalties coupled with growing data privacy laws in the United States generally mean that now is the time to ensure that businesses are prepared for the CCPA. Here are some of the steps they can take on the path to CCPA compliance:

Updating Privacy Policy with a Description of a Consumer’s Privacy Rights under the CCPA

The first step for every business is to create a new procedure that informs consumers of their rights and any proposed sale of their personal information. They should also allow them to exercise their right to deny any sale of their personal data as well as to opt-out of the sale of their information.

Identifying and Classifying Sensitive Personal Data across the Organization

In order to achieve CCPA compliance, businesses need to identify previously collected personal information about the consumer. In addition to this, businesses need to know why they collected the personal information, which categories of personal information were sold, and which categories were disclosed for a business purpose. Also, it is critical for every organization that falls under the scope of the CCPA to keep up-to-date detailed records.

Implementing Processes to Respond to Consumer Rights Requests

Businesses need to be ready to handle all consumer requests with regards to their personal data. This refers to situations when consumers say no to the sale of their data and refuse disclosure of their data to third parties.

Training Employees on how to Direct Consumers to Exercise Their Rights

The CCPA makes business responsible for training their employees on key sections of the act. Therefore, businesses have to inform and train all of their employees who handle consumer inquiries regarding privacy practices about CCPA compliance as well as how consumers can exercise their rights.

Integrating Automated Tools

Automated tools can be helpful for complying with data privacy laws. To make CCPA compliance efforts easier, organizations should consider using privacy compliance automation tools to perform tasks such as:

  • Automating processes for consumers to access, delete, export, copy, or correct their personal information,
  • Automating data mapping tools,
  • Automating data protection impact assessment processes, and
  • Automating subscriptions to manage consent and opt-out requests.

Impact of the California Consumer Privacy Act

Even though the CCPA is a state law, its scope is broad enough to apply to many businesses that may not currently consider themselves to be under the purview of California law. Also, in the wake of the CCPA, a dozen other states have introduced their own comprehensive data privacy legislation, and there is heightened consideration and support for a federal law to address similar issues. Taking this into consideration, it is critical that businesses address CCPA compliance issues now, rather than when it is too late.

The key approach is to create a compliance strategy that, once used to comply with one set of data privacy rules, can be easily adapted to make compliance with other similar regulations simple and less resource intensive. In addition to aligning their data security and privacy practices, companies should have programs and technologies to classify personal data, protect it, constantly monitor and analyze for threats, and thus maintain CCPA compliance.

Get a range of industry-leading solutions designed for ease of use, ensure compliance with different regulations, and eliminate costs necessary for HR services.