If you’ve been watching the news and operate a business that collects, buys, or sells consumer information, you may be considering a CCPA audit. The California Consumer Privacy Act (CCPA) is the most extensive data privacy law in the United States.
While it is true that you are exempt so long as you don’t operate in California, you may be seriously limiting your company by refusing to do business in California. That state represents one of the strongest economies in North America. And if you want to scale your business beyond your home state, becoming CCPA compliant is a must.
In this article, we will walk you through what a CCPA audit is. Additionally, we’ll provide you a quick CCPA questionnaire to give you a preview of the audit process. Performing an audit is the first critical step in becoming CCPA compliant.
What is the CCPA?
In 2018, California passed the CCPA, also known as the California Data Privacy Act. This unique set of consumer privacy laws went into effect on January 1, 2020. Businesses that engage customers living in California must now become CCPA compliant or risk legal consequences.
In the interval between passing the bill and the beginning of 2020, California’s government allowed time for organizations to perform CCPA audits and update their operations. Even if you’ve based your business outside California, you may still be required to comply with the CCPA.
To Whom Does the CCPA apply?
The California Consumer Privacy Act of 2018 protects natural residents of California. These consumers have the following rights under the CCPA:
- Consumers can request access reports that detail what information a company has about them, how it is stored, how it is used, and where it has gone.
- Consumers can refuse any organization the privilege of selling or sharing their personal information to third parties.
- Consumers may choose to opt-in to certain personal data-mining efforts rather than have their personal information used without their permission.
- Consumers can make deletion requests, thereby removing their personal data from a business’s database (certain restrictions apply).
- Consumers are protected against discrimination from an organization of whom they’ve taken advantage of their CCPA rights.
This new privacy law may also require any organization doing business with a California resident to adhere to CCPA guidelines. If your business is for-profit and uses consumer information as a critical part of your operations and revenue stream, you will likely be required to become CCPA compliant before servicing clients in the state of California.
For further details about CCPA requirements and how they differ from federal privacy laws, check out our CCPA guide here.
Assess your CCPA compliance
What is the Penalty for Violating the CCPA?
California residents may file a civil lawsuit against any business that violated their rights under the CCPA. If the plaintiff can prove non-compliance, the guilty business must pay up to $750 per incident in damages.
Additionally, the California Attorney General may fine that business up to $7,500 per incident, depending upon how badly it violated CCPA regulations. While the state of California grants a guilty business 30 days to become CCPA compliant, the CCPA’s month-long grace period does not prevent that business from having to pay damages to a plaintiff if found guilty in a civil lawsuit.
How Does One Become CCPA Compliant?
To become CCPA compliant, you must first perform a CCPA audit. In this audit, you’ll learn what – if anything – needs to change before you may do business with those living in California. The audit will examine your data mapping process, as well as how you use consumer information.
The CCPA compliance process requires you to develop a series of policies and disclosures to demonstrate transparency. Additionally, you will need to create a system for processing consumer requests, to include opt-outs, access reports, and data erasure.
Lastly, CCPA compliance dictates that liable companies properly obey data erase requests, to include contacting third parties with whom they’ve shared personal information. The compliance process – for some organizations – could mean monumental process changes and employee retraining.
What are the Advantages of CCPA Compliance?
While many organizations are frustrated at the new restrictions under the CCPA, others are excited about gaining a market advantage. For example, companies using consumer data and doing business overseas have taken steps to become compliant under the European Union’s General Data Protection Regulation (GDPR).
Those organizations already GDPR compliant will have to change very little to adjust to the CCPA’s guidelines. By demonstrating compliance with both agencies, these companies have greater trust among their employees, clients, and prospects.
In short, the CCPA is an opportunity for your organization to earn trust with customers, expand your operations, and significantly minimize your data privacy liability.
How Does a CCPA Audit Work?
As you might expect, CCPA audits examine your business operations from “head to toe” looking for any possible CCPA violation. Audits are never fun. However, catching non-compliance before a consumer does saves you time, money, and your professional reputation.
Ideally, you should employ an individual or agency experienced in consumer privacy and cybersecurity to perform a CCPA audit. If you’re working with a firm like RSI Security, auditors will inform you what steps to take to become CCPA compliant.
When Should You Get a CCPA Audit?
If you do business – personally or remotely – in California, or if you ever hope to do business with customers in California, it is critical that you become CCPA compliant as soon as possible. Your first step is to perform a CCPA audit.
Here are a few more articles to help you learn more about CCPA:
CCPA Questionnaire: Are You CCPA Compliant?
For a closer look at what an audit entails, we’ve compiled a brief CCPA questionnaire. Keep in mind that this list is by no means exhaustive. However, these questions can help you expose possible non-compliance within your organization.
To access the CCPA webpage from the California Attorney General, click here.
Have you selected a third party qualified to administer a CCPA audit?
Only subject matter experts can help you perform a proper CCPA audit. They must have strong attention to detail and intimate knowledge of the California Data Privacy Act.
Do you maintain data maps?
Data maps show how you collect, store, and use personal information. Accurate data maps are invaluable to information security and data privacy compliance.
What is your privacy policy and does it align to the CCPA?
Central to any data security process is your privacy policy. It’s not enough to have a privacy policy. You must understand the full scope of that policy and update it to align with CCPA guidelines.
Do your employees abide by your privacy policy?
Employees that do not understand your privacy policy are a massive liability to your organization. It is your responsibility to make sure that your employees know what to do and that there are internal consequences for ignoring company policy.
How often do you update your privacy policy?
Because times change – i.e., California passing the CCPA – you and your decision-makers should plan to review your privacy policy regularly.
Do your internal operations and external resources maintain IT and data security?
Any information security breakdowns within the company or outside your organization could prove dangerous to your CCPA compliance efforts.
Do you have a reliable process for receiving consumer requests to invoke their CCPA rights?
California consumers must be allowed to exercise their rights under the CCPA. That means providing direct phone lines and/or online request pages for consumers to contact you with their access, deletion, or opt-out requests.
Can you fully comply with personal information deletion requests?
Upon receiving a deletion request, you must comply or risk legal action. When deleting a consumer’s personal information, you may also have to work with an affiliate to adhere to CCPA regulations fully.
Do all of your vendor contracts reflect CCPA compliance?
Remaining CCPA compliant is difficult if your vendors and affiliates are not also compliant. Make sure to communicate clearly with external organizations about your expectations. In some cases, you may need to renegotiate contracts or change vendors.
In Conclusion
Performing a CCPA audit is the beginning of becoming CCPA compliant. As consumer data privacy reaches new priority levels in the United States and abroad, your organization will be fully prepared by taking compliance steps today.
RSI Security exists to help businesses improve their cybersecurity by administering compliance audits and services relevant to the CCPA. If you seek assistance in meeting California’s new privacy guidelines, contact RSI security today.
Download Our CCPA Compliance Checklist
Assess where your organization currently stands with being CCPA compliant by completing this checklist. Upon filling out this brief form you will receive the checklist via email.