Are You Compliant With the California Consumer Privacy Act?

Thought Leadership
Noah Webster | Thu, 01/02/2020 - 14:54
keyboard with CCPA key

The California Consumer Privacy Act went into effect on Jan. 1, 2020. Now that this game-changing piece of cybersecurity legislation has become law, companies need to get serious about the details.

Does your company have one or more customers in California? If so, CCPA almost certainly affects you. The law grants individuals a right of action (basically, the ability to sue) if their unencrypted or unredacted data is stolen. That right applies even if the stolen data caused no personal harm. Data breaches already are scary, but the threat of class-action lawsuits makes them more so.

More specifically, assuming you meet any of the criteria listed below the CCPA impacts data security and privacy for your business:

  • If you are part of a聽for-profit organization doing business in California that earns $25 million or more in revenue per year
  • If 50% or more of your company's annual revenue comes from selling personal information
  • If you sell 50,000 or more consumer records per year

Compliance with CCPA means giving California residents the right to know what personal information has been collected and whether it鈥檚 been sold, as well as the right to access and delete that information at will. Meeting those mandates won鈥檛 be easy, so we suggest you start immediately.

What CCPA Means for Daily Operations

聽The good news is, the CCPA isn鈥檛 drastically different from existing data privacy laws, most notably the General Data Protection Regulation passed in the European Union in 2018. Like its California counterpart, the GDPR requires companies to give individuals more control over their personal data. GDPR rules apply to anyone who does business in Europe, which is likely to be a large swath of companies that do business in California, too. Those companies already have done much of the legwork to comply with CCPA.

The bad news is, the laws are not identical. For example, both involve updating privacy notices, improving opt-in/opt-out requests, and abiding by requests to delete data. Unlike GDPR, however, the California law requires companies to create a 鈥渄o not sell鈥 link that lets users restrict how their data is monetized. The devil is in the details, and companies can鈥檛 assume that complying with another set of rules ensures compliance with CCPA.

Penalties for noncompliance are uncertain, but they鈥檙e intended to be meaningful. The California attorney general can levy fines of聽聽for each user profile handled improperly. Multiply those fines by the thousands of users typically affected by a breach, and it鈥檚 clear just how costly CCPA could become.

Getting Compliant on a Short Schedule

If you already have a data privacy program in place, you鈥檙e on the right path. With a few updates, you will likely be in full compliance with CCPA. If you don鈥檛 have a program, you may have a lot of ground to make up:

  • Data mapping:聽Identify exactly what data you have, where it lives, and who does the processing. Understanding what data exists inside your ecosystem is a prerequisite for securing it as CCPA requires.聽
  • Data governance:聽Evaluate your ability to manage and monitor incoming data. Without excellent governance, companies that start compliant may struggle to stay compliant.聽
  • Data monetization:聽Plan how you will monetize data (now and long-term) in ways that comply with CCPA. The law creates strict mandates for monetization.
  • Privacy controls:聽Judge whether your existing privacy controls create gaps that might conflict with CCPA. If and when they do, identify how processes and technologies need to evolve to close those gaps.聽
  • Compliance management:聽Make a team or individual responsible for ongoing CCPA compliance. Staying within the letter of the law will take constant evaluation and adaptation 鈥 work that companies can鈥檛 afford to neglect. Plus, by cultivating in-house compliance experts, companies are better prepared for future data-privacy laws at the local, state, federal, or global level.

If you don鈥檛 serve California, be aware that other states are considering similar laws, and tougher privacy protections seem all but guaranteed. Therefore, everyone should take the spirit of CCPA seriously and begin preparing for a future in which data is an asset and a liability.

When you鈥檙e ready to get started,聽聽to properly secure all of your data and help you stay compliant with every regulation that comes to pass.