The year 2020 saw the California Consumer Privacy Act (CCPA) enforcement, a landmark law that provides the most comprehensive consumer data protection in the United States of America. Its effects are far-reaching, especially for businesses. This is why it is crucial to have a thorough approach to comply with its requirements. When it comes to how to prepare for CCPA, we will guide you through everything you need to know.
The influx of information has rapidly overwhelmed the world in the 21st century. Our most sensitive personal information can be found in all our gadgets — from smartphones, laptops, cloud services and personal computers. This is why it is vital to prioritize data security for everyone’s welfare in the Golden State.
With this in mind, the California legislature gave their unanimous approval for the enactment of the CCPA on June 28, 2018. We’ll provide an in-depth analysis of why this law offers the most protection when it comes to user data in the US — plus the implications that business must understand to avoid unnecessary interruptions.
The Law in a Nutshell
Every Californian resident should know their inherent rights as provided by the CCPA. Here are the entitlements of every consumer according to this law:
- Individuals can control the use of their personal information, including its sale and disclosure.
- Users have the right to know and access what kind of personal information is being collected from them. They can also control its deletion.
- People can reject the sale of their data. They are still entitled to receive equal prices and services, even if they exercise the right to opt-out of a particular system.
With the vastly significant role of information in today’s day and age, breaches have become commonplace. These have become exorbitant expenses for many consumers and companies to shoulder. The Ponemon Institute, for example, conducted a study on the average financial toll of data breaches in the $8 million range, more than double the global average. Over the past five years, these data vulnerabilities have increased by 12%.
The term “consumer” as used in the law covers any California resident. The keyword “personal information” is a broad term to include any type of information that can be reasonably linked to this particular consumer, directly or indirectly. Here are typical examples:
- Real name
- Alias / Nicknames / Online identifier
- Postal address
- Internet protocol address
- E-mail address
- Social Security number
- Passport number
- Driver’s license number
- Commercial information
- Biometric information
- Internet activity
- Geolocation data
- Professional information
Effect on Businesses
The key provisions of the CCPA have an immense impact on businesses, provided you meet the following qualifications:
- Annual gross revenue exceeding $25 million
- Consumers ranging 50,000 and up, involving the purchase, reception, selling or sharing of their personal information
- Earning more than half of annual revenue based on the selling of the personal information of consumers
At first glance, the $25 million threshold seems to exclude small businesses. According to Quickbooks, a small company with around 20 to 99 employees has an annual average of only $7 million. But it is not an excuse to neglect the provisions in the law. There is still a need to prepare for its requirements, even for small businesses.
The law provides incentives for small businesses to take care of the personal data that is processed within its business environment. However, it’s not that easy because many establishments are constrained by resources especially in light of the COVID-19 pandemic.
But it’s wise to take a precautionary approach to comply with the CCPA. The California law will drastically change the way personal information is handled when it comes to commerce. This will be a precedent that other states will emulate, especially with the successful example of the European Union (EU) and its General Data Protection Regulation (GDPR).
While California is just a single state, its example may result in similar laws across other states in the next few years. For example, the state of Nevada has created an amendment to its online privacy law. This includes an opt-out for consumers to sell their personal information in businesses.
As more consumer rights are expanded and created, expect more litigation. This is why businesses need to protect themselves accordingly with impeccable law compliance. Awareness is one of the best measures that can be taken to avoid bothersome financial penalties.
Let’s talk about the potential penalties for companies that will violate the provisions of the law. Starting July 1, 2020, the California Attorney-General can pursue civil penalties for any CCPA transgressions. Intentional violations are worth $7,500 while unintentional violations cost $2,500.
A violation is logged when a business violates a consumer’s data rights. The establishment in question will have thirty days’ notice to fix the violation. If it is neglected, the Office of the Attorney General will take action.
There is a lot of inherent confusion that businesses may be going through whether they are under the law’s coverage. It is best to sort out all these questions to avoid penalties.
What Businesses Must Do for Compliance
Businesses should prepare for compliance. Otherwise, financial harm can prove grave for these establishments. The focus should be on the “reasonable security” aspect of the law that ensures that the company has proper processes and practices in place. There should be strong endpoint encryption and protection throughout the company.
Setting Up the Data Request Process
The aspects of the business that must undergo careful scrutiny are its information security posture, honoring of access requests, personal data processing and other rights and requirements under the law.
A process must be put in place whereby consumers who have data requests are responded to immediately. When these requests are received, the business must inform consumers about the different categories of personal information. There should also be an update on why data is collected and for what purposes.
Once this request has been processed, the company must take steps to disclose the needed data and deliver it to the user. This must come free of charge to the consumer, as required by law. The delivery of the information may be done by mail or electronic means (such as email). The data requested shall be in a portable, feasible and usable format that allows the user to transmit this information to another without any obstacles.
For more specifications, the company should create a mechanism for users to submit requests for information disclosure. This can come in the form of a toll-free telephone number or an Internet website. If the business is purely online by nature, a website will suffice.
Responses to the user should be available within 45 days after the request has been received. Note that this is still free of charge to the consumer.
The website must be CCPA-compliant with its privacy provisions. It must have a notice to consumers about the different categories of personal information that must be collected. The purpose of the collection should be explicitly stated.
An Opt-out Clause
To handle these requirements well, a company must maintain a staff that will handle security procedures and practices according to the law. Take note of other consumer rights under the CCPA. They must not be discriminated against in any form. A deletion process must be readily available to them to have their personal information removed whenever they want.
The Look-back Requirement
There must also be compliance with the look-back requirement. This is a process wherein a consumer can request records covering 12 months preceding the date of a request for access to their personal information.
There should also be a process wherein a company can respond to consumer notifications of a lawsuit under CCPA. By law, users are required to provide a business establishment with thirty days written notice in advance to cure a potential violation.
Additional regulations are taking place as we speak, as changes to the implementing guidelines are made. This is why it is essential to be on top of the situation when it comes to any update in the CCPA compliance guidelines. Here are some of the proposed changes:
- Businesses must have disclosure requirements if they are collecting personal information from more than four million consumers.
- Ten days lead time to acknowledge consumer requests.
- The response of 15 days to honor “Do Not Sell” requests and inform third parties that receive this information within 90 days.
- Acquisition of consumer consent for the use of personal information for a purpose that is not yet disclosed at t the data was collected.
Areas of Uncertainty
Several businesses have been struggling to keep up with these requirements on their own. A study by Ethyca has determined that only 12% of companies in California have achieved the level of “adequate state of compliance.” 38% of the respondents reported that they would need another 12 months to meet the requirements. A big reason behind this is that 75% of companies still rely on manual processes, instead of streamlining it with a digital system.
Experts have surmised that a big reason behind this struggle is that there is still much uncertainty about the CCPA and that there are not many details about the compliance cesses forreover, there are also proposed changes that will only work to make the compliance process harder for struggling businesses.
As for exemptions from the CCPA, it should be noted that the law does not apply to commercial conduct that is done “wholly outside” of the state of California. Data covered under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) or the Gramm-Leach-Bliley Act (GLBA) are also exempted.
This means that if the personal information is already under the regulation of federal law such as GLBA or HIPAA, or state law such as California’s Confidentiality of Medical Information Act, thenan be placed outside the scope of CCPA. Last but not the least, non-profit entities are also exempted from the CCPA.
Expert Guidance for the CCPA
RSI Security offers full services for compliance, assessment and advisory insights about the California Consumer Privacy Act. To offset any confusion or lack of preparation when it comes to CCPA compliance, let our years of experience and expertise guide you through all the requirements of the CCPA.
We can assist you in attending to all the provisions of the CCPA so that these do not significantly hamper your business operations. We specialize in protecting personal data as wanders the rights of the consumers according to the California Consumer Privacy Act.
Our team can also evaluate the data privacy and security policies, procedures and controls of your company. This is important in avoiding data breaches, vulnerabilities and gaps. We’ll prepare you to face the CCPA audit.
Our line of services include the following:
- Audit and Assessment Services for CCPA provisions, including physical, administrative and technical safeguards for the personal data environment
- Personal Data Mapping and Inventory
- Privacy by Design
- Program Privacy
- Impact Assessment Incident
- Data Breach Response Planning
- Network Penetration Testing
- Vulnerability Scanning Enterprise
- Privacy Risk Assessment
- Personal Data Security Awareness and Training.
Here are the benefits for your company if you are compliant with the CCPA:
- Readiness for the law audit
- Secure personal data environment
- Security risk management
- Increased personal data protection
- Increased customer trust and organizational reputation
- Implementation of the information security program
- Effective incident response planning
For the best preparation for CCPA compliance, trust RSI Security to guide you with everything you need to succeed under the California Consumer Privacy Act. We can make the process more efficient and less complicated with our assistance.