10 Key Steps to Comply with the California Consumer Privacy Act (CCPA)
This is a guest article by Anas Baig from SECURITI.ai
With the exponential growth in the digital world, regulations must be set in place to protect the rights of the people and secure their data. According to the study conducted by DataReportal, over 4.5 billion people share their data online, and most of them are not comfortable with a lack of rights set in place in order to protect their data from misuse or breach.
What are the Data Rights Under California Consumer Privacy Act (CCPA)?
The CCPA (as well as GDPR) was a response to these concerns, and it gave people rights on their data and added regulations on organizations that store, process, and distribute the data. It gives people the following rights on their data.
Right to Notice: CCPA requires businesses to inform consumers when personal information is being collected during online interactions. They must also disclose how they intend to use the collected data.
Right to Access: CCPA grants consumers the right to ask a business to disclose categories and specific sections of personal data collected during online interactions. Companies must also tell consumers what types of information are shared with third parties.
Right to Opt-out: Consumers have the right to decline their personal information being sold by a business. Businesses are prohibited from discriminating against consumers who exercise this right.
Right to Request Deletion: CCPA gives consumers the right to request personal information to be deleted. Businesses must comply with a consumer’s request unless a type of data is required to be saved by the law.
What are the Fines and Penalties associated with CCPA?
Organizations that are required to comply with the CCPA are required to revamp their operations to respond to any data subject request that they may receive from consumers as an act of exercising their rights.
Under the CCPA, organizations have 45 days to fulfill any data subject request or risk paying fines and penalties for non-compliance. These penalties can range anywhere from $2,500 to $7,500. This is reserved explicitly for violations that the CCPA enforcement body deems as intentional. Other violations lacking intent are going to remain subject to the preset $2,500 maximum fine. There is also a chance of the organization being sued by the consumer directly for the breach of their personal information. These consumers can collect anywhere from between $100 to $750 based on the damages the consumer claims for.
CCPA has been in effect for four months now and is only another two months away from complete enforcement. This could spell danger for organizations that are not adequately prepared for it.
10 key steps towards CCPA compliance
CCPA is not like any standard legal norm on a state level, but it extends on a global scale, and over 500,000 organizations all over the world are required to comply with its regulations. Here are some of the steps that you can take to be fully compliant with it.
1. Determine whether CCPA applies to you
Organizations need to understand that not everyone is required to comply with the CCPA. The law applies to businesses that fulfill one of the three thresholds:
- Gross annual revenues greater than $25 million
- Organizations that buy or sell the personal information of 50,000 or more consumers, households, or devices
- Businesses that derive 50 percent or more of their annual revenue from selling consumers’ personal information.
These organizations do not necessarily need to be physically present in California. If they meet the threshold from anywhere in the world, they are obligated to comply with the CCPA.
2. Involve all teams
Although compliance with the CCPA, which includes creating data inventories and responding to data subject requests, might seem like a tech-dominant task on face value, it is much more than that.
“There are IT aspects to compliance with the CCPA,” says Jason Schwent, data privacy specialist at the law firm Lathrop Gage. While tracking information, deletion, and security do tend to be tech-oriented tasks, adherence to the CCPA “is a legal compliance issue,” he maintains.
According to Richard Harris, chair of the technology, telecommunications, and outsourcing practice at the law firm Day Pitney, “Businesses should put together a team comprising of legal, compliance, business, and technology experts. The team can assess the compliance strategy to address the implications of CCPA on their business and an impending onslaught of similar legislation expected in 2020.”
3. Take an organized approach
Compliance will not be achieved overnight and pushing your team to do so could result in frustration with no avail. It is advised that organizations take a steady approach towards adherence with the CCPA. Organizations will have to develop new processes that will help them evaluate and respond to data subject requests. Organizations will also have to train their employees on this regulation so that everyone is up to speed.
4. Decide whether to extend CCPA protections to your entire customer base
Although not all customers will be given the same rights as those residing in California or citizens of that state, it could create a disparity among customers that are not a part of California, which could create customer relation issues. According to Nancy Perkins, counsel at the law firm Arnold & Porter, “A business that is very consumer-facing and heavily depends on direct relationships with consumers for its reputation and business growth may want to extend CCPA rights and protections to all consumers as a promotional, consumer-friendly gesture.”
5. Revise your online privacy notice
Organizations will need to revamp their privacy policies and include descriptions of categories the information is collected in, third parties with whom the data is shared, and consumers rights under CCPA. Lathrop Gage’s Schwent says, “The policy should be drafted with the specific needs and uses of the organization in mind to ensure that it is implementable, useful, and enforceable.”
6. Document “reasonable security” practices
The CCPA does not explicitly mention the need for encryption, but under its security provisions, it requires organizations to set up “reasonable security practices.” To avoid any complications in the future, organizations need to ensure sufficient documentation of security controls in place to demonstrate ‘reasonable security’ in the event of a data breach. Although there are still two months till full enforcement, the security provisions will be immediately enforceable either by the California Attorney General or through a private right of action.
7. Establish a subject data request process
CCPA gives consumers the right to submit a data subject request to access their information, opt-out of their information being sold, or even deletion. Organizations need to prepare a streamlined process that will be able to handle all these requests and fulfill them promptly.
8. Data Discovery
Organizations need to map all personal information that they have stored or shared with third-party vendors. Organizations will need to know the types of personal information that they have collected in the past year, the purposes for which the data was collected, and the types of vendors to whom this information was disclosed in the past 12 months.
9. Review vendor contracts
Organizations need to revisit their vendor contracts, find out which vendors have access to any personal information, and double-check the data language of these contracts. This will give organizations the contractual protections they need for data restrictions.
10. Train employees
Finally, and probably the most crucial task is to train your employees on all the ins and outs of the CCPA on a general level as well as department-specific. The CCPA places emphasis on the training of personnel who will be responsible for receiving and acting on consumer requests. Employees need to understand the privacy program to help reduce the risk for the business, both from a process perspective and a customer communications perspective.
The CCPA is here, and although full enforcement is still months away, most organizations are not prepared to comply with all the regulations in place.
Organizations will need to do the following tasks in hopes to comply with it:
- Determine whether the CCPA applies to you
- Involve all teams to work towards compliance
- Take an organized approach towards compliance
- Decide whether to extend customer base
- Revise online policies
- Document security practices
- Establish a data subject request fulfillment process
- Create a data inventory
- Review vendor contracts
- Train employees on the CCPA
It’s going to be a long, meticulous road that will require a lot of changes in processes as well as policies and documentations, but after the dust settles, the world will be a safer space for your data.
With a passion for working on disruptive products, Anas Baig is currently working as a Product Lead at SECURITI.ai. He holds a Degree of Computer Science from Iqra University and specializes in Information Security & Data Privacy.