California data privacy is a hot topic today as 2018 California state legislation went into effect in 2020. Many companies want to know if the California Consumer Privacy Act (CCPA) applies to them. And if so, they want to know what – if anything – they need to change to become CCPA compliant.
California’s Cybersecurity Regulations
If you’ve been watching the news and operate a business that collects, buys, or sells consumer information, you may be considering a CCPA audit. The California Consumer Privacy Act (CCPA) is the most extensive data privacy law in the United States.
What’s happening in California affects everyone. The fight for a person’s right to privacy affects everyone. Because some people in power will pursue their self-interests to the exclusion of everyone else as far as the law will let them, it is necessary to legislate what can be done with personal information. It used to be that most consumers thought the harmless reason for the collection of their information was to serve up more relevant advertising, which was a win-win situation.
The California Consumer Privacy Act (CCPA) was passed in 2018, and it affects companies that handle private data. The act, also referred to as AB 375 follows the guidelines of the EU’s (European Union) General Data Protection Regulation (GDPR) while broadening the definition of what constitutes private data.
CCPA is the acronym for the California Consumer Privacy Act. It is the first act of its kind in the U.S. and only covers residents in California. CCPA mirrors the standards set down in 2018 by the European GDPR (General Data Protection Regulation) which protects consumers’ private information, including names and email addresses.
In 2019, data privacy was a big topic of discussion for everyone from the regular Joe/Jane user to the Supreme Court and the European Union. Now that we have crossed over the bridge to 2020, data privacy in the U.S. is about to become just as important as data security.
In an era where information can easily be captured, shared, and stored, the privacy of personal data is becoming an essential area of focus in today’s electronic world. While customers are starting to become savvier and educated about the Internet and privacy concerns, they are also becoming more distrustful about how organizations collect and use this information.
Business transparency is becoming more important than once thought in the consumer age. As technology continues to evolve, consumers are now taking control of what they want to see, trust, and research by investigating product materials and the overall history of an organization.
After all, products and services are not only a solution to a problem but can also deliver experience and personal connection. According to the 2016 Label Insight Transparency ROI Study, 73 percent of consumers are willing to pay more for a product that promises complete transparency.
Related statistics further indicated that 39 percent of consumers revealed that they would switch to a new brand in the hopes of gaining product transparency. By providing clarity, customers can eliminate anxieties or any suspicions about the value of the product, therefore, ensuring a higher return on investments.
Perhaps the most popular United States (U.S.) state statute related to organizational transparency is the California Consumer Privacy Act (CCPA), which was approved to improve consumer protection and privacy rights for residents in California. The CCPA legislation was approved last month, but won’t be enforced until later this year.
The California legislature further notes that the heightened desire for privacy controls and transparency in data practices was the primary reason for the government to approve the law in 2018. The increased desire for transparency was a result of Cambridge Analytica’s misuse of personal information.
The CCPA uses many concepts and ideas in the General Data Protection Regulation (GDPR) standards to come up with general privacy laws designed to protect an entire population group. Similar to GDPR, organizations that comply with CCPA should be aware of the individual rights of their consumers and guarantee that mechanisms are in place to act on these.
Personal information may include but is not only limited to name, biometric data, email addresses, age, geolocation data, employment or professional data, and Internet of Things information related to California residents. Generally, CCPA characterizes personal data as any data that relates, identifies, describes, and is capable of being associated with a particular consumer or household.
The act differs from other regulations such as the Health Insurance Portability and Accountability Act (HIPAA) as it includes household information in the definition of personal information. While CCPA and GDPR have several similarities, the former’s unique requirements primarily focus on the concentrated efforts on the part of the business to achieve and stay compliant. It is also worth noting that being GDPR compliant does not mean that a business is CCPA compliant by default.
Nevertheless, GDPR-compliant businesses have already met some of CCPA requirements and only need to make adjustments on their privacy policies to acquire compliance.
Among the consumer’s rights based on CCPA include:
Right to Know
The CCPA indicates that customers have the right to know what personal information gathered, used, distributed, or sold. The legislation mandates that organizations provide transparency into both the specific personal information they collect and the broad classifications of data they gather.
Right to Delete
Consumers have the right to delete their data held by businesses and service providers under CCPA. However, this does not mean consumers can gain entry to business systems, but instead, they can request that a company erase their information. On the flip side, businesses must comply with the request of their customers to avoid penalties and legal troubles from the government.
Right to Opt-Out
The CCPA also provides customers with the right to unsubscribe if they do not want their data to be sold. Businesses are required to get opt-in consent for children 16 and under before they can sell data while a parent or guardian must permit those who are the 13 or younger age bracket.
Right to Non-Discrimination
The CCPA distinctly outlaws businesses from communicating any form of discrimination relative to a consumer exercising their rights to privacy.
Who’s required to comply with CCPA?
The CCPA applies to any for-profit business that gathers personal data of consumers, California-based entities and meets at least one of the following thresholds:
- Has an annual gross profit of more than $25 million
- Discloses and receives the personal data of 50,000 or more California households, residents, or devices each year
- Accumulates 50 percent or more significant yearly revenue from selling the personal information of California residents
Organizations that satisfies these parameters are also required to employ and maintain reasonable security practices and procedure in protecting customer information. Meanwhile, the CCPA does not cover non-profit or smaller organizations that do not meet the revenue thresholds or those that do not traffic significant amounts of personal data from California residents and do not share a brand with an affiliate.
While the CCPA currently extends to for-profit companies in California, entities outside of the state may also be required to meet the standard, as mentioned above. This is especially true for data-driven organizations that collect personal information from California residents. It is worth noting that the scope of CCPA is to protect the rights of residents living in California.
Besides the above-mentioned responsibility and accountability requirements, organizations must also include a “Do Not Sell My Personal” link on the home page of their websites. The CCPA also requires organizations to assign methods for submitting information access requests by including a toll-free number, email addresses, or even their social media accounts on the sidebars or footers of their websites.
Moreover, businesses should avoid requesting opt-in consent for a year after a California resident opts-out from their service. Business websites must also include privacy notices that can easily be accessed to provide customers information about the information that is used by the organization.
These notices should include a full description as to how personal information is used or collected and the categories of personal data the business has sold to third-party in the previous year. Companies also need to publicly inform and disclose the existence and nature of consumer rights under the CCPA to their clients.
Failure to follow these set accountability and responsibility requirements could lead to potential reputational damage and hefty fines. A fine up to $7,500 is set for every single intentional violation, and $2,500 is charged for organizations that commit unintentional breaches. Furthermore, the CCPA also requires businesses to solve alleged violations within 30 days after being notified of non-compliance.
How to Become CCPA Compliant?
Achieving CCPA compliance will require a concentrated effort from organizations. They should be able to establish sophisticated privacy strategies with input from all affected facets of operations to manage the immediate requirements of CCPA and plan for future concerns related to privacy. Here is a CCPA compliance checklist that businesses can do to increase their chances of complying with regulatory standards.
Identify CCPA Obligations
Unlike other privacy regulations, CCPA goes beyond the current U.S. privacy protections as it imitates elements indicated in the European Union’s GDPR. By determining their obligations to the CCPA, organizations can understand the exact nature of exemption from these privacy laws.
CCPA currently grants an exemption for firms that are regulated by the Gramm-Leach-Bliley Act (GLBA). It is also essential that organizations map all the personal information under their control by assessing the collection, distribution, and storage processes.
Although the enforcement of the law will not start until at least July of this year, covered entities should comply with the request of consumers to have their information permanently deleted. By conducting a data mapping exercise, organizations can also ensure that all of their third-party vendors have the same and share results.
Update Website Privacy Disclosures
As mentioned, the CCPA provides customers the right to know what personal data is being gathered about them. This is why it is essential for organizations must provide a disclosure at or before the point of collection by informing customers of the classifications of personal information to be gathered and the purposes for which the categories of personal data shall be used.
By updating privacy disclosures, businesses can guarantee that consumers can learn where the personal information is collected from and the categories of third parties with whom it is shared. This provides added transparency that can be vital for businesses in attracting potential customers in the long run.
The CCPA law also calls for business webmasters to begin the IT change management process by adding a homepage privacy link that allows customers to opt-out of having their personal information sold.
Determine and Apply System Changes
Corresponding business systems need to be updated as well to implement the procedures above. This involves informing your IT team about the upcoming changes so that they can prioritize them within their change management process.
Writing new procedures that should be followed by your IT team is also necessary so that they can incorporate them into your systems within the July 1 deadline. Training employees on the critical aspects of the innovative business procedures, system updates, and CCPA should also help organizations reach compliance.
As per CCPA, consumers are allowed to seek damages for breaching personal information if it is the result of business failure to apply and maintain reasonable security procedures. This could lead to significant monetary losses and bad publicity that could affect your lead generation process in the future.
What are the Business Benefits of CCPA?
At a single glance, it may seem like that CCPA brings a slew of benefits to consumers and particularly nothing but more work and efforts for businesses. However, complying with CCPA standards can provide enterprises with the competitive advantages that compliance can bring to the table.
As consumers become more aware of their personal information, it is only usual that they gravitate towards businesses that are well-equipped for security protection. Adhering to CCPA standards puts an organization in a unique position to stay ahead of their competitors in future business transactions.
Experts predict that data regulation is going to be a continuous issue in the coming years with more states in the U.S. coming up with pieces of legislature similar to CCPA.
Becoming CCPA compliant prepares organizations for continuous changes. While some point is likely to vary from every single state, only minimal improvements or modifications are required to be made if organizations are already compliant with CCPA regulations.
Other than that, CCPA also provides businesses with a marketing advantage, especially in tapping into new markets. This is for the simple fact that much of the information that marketers work is usually not precise.
There is a considerable chance that the information can go obsolete soon as well since the data source remains unknown and is collected by third-parties. With CCPA, businesses can put together a robust data protection legislation in place so that they can gather information in a highly-regulated digital environment.
This also benefits businesses because they will know exactly where their information comes from and its accuracy. While CCPA makes it more difficult for companies to acquire consumer data, the implementation of the act will provide them with reliable information that can be used to adjust their marketing strategies to align with the wants and needs of their target markets.
Additional requirements are expected to be added to the CCPA act. This could mean more benefits for organizations that are seeking to put themselves at the top of the curve in a cutthroat business landscape. Among the proposed CCPA compliance requirements include the following:
- Businesses that manage personal data of more than four million customers should provide extra training and record-keeping obligations.
- Businesses should disclose financial rewards offered in exchange for the sale or retention of a client’s personal information and describe how they estimate the value of personal data.
- Organizations should keep records of requests and how they responded for two years to display their compliance.
Business transparency builds trust and makes consumers and employers feel that they are engaging with an organization higher ethical standards. Find out how being CCPA compliant can help your business reach new heights by speaking with an expert from RSI Security today.
Download Our CCPA Compliance Checklist
Assess where your organization currently stands with being CCPA compliant by completing this checklist. Upon filling out this brief form you will receive the checklist via email.
The United States’ (U.S.) privacy law landscape is continually shifting and evolving as federal and state privacy proposals continue to be debated and become enacted. The recent change in the privacy law sphere can mainly be attributed to the inherent demand of customers for transparency from business organizations.
Is your business ready for the California Consumer Privacy Act (CCPA)? If you handle consumers’ personal information, resolve to get in compliance before it’s too late. Starting January 1, 2020 consumers are going to be entitled to protection from companies selling personal information to other third-party companies without their knowledge. They are also going to be entitled to relief from wrongful sharing of their personal information, whether or not it was leaked on purpose. Read on to find out what these new protections are and what you can do about them to reduce your liability.