California’s famously sunny, laid-back surfer culture belies its role in shifting national conversations on hot-button issues through the passage of landmark legislative acts. The first to pass everything from air pollution to medicinal marijuana to no-fault divorce legislation, California is leading the fight for consumer-friendly data privacy laws.
What You Need To Know About CCPA
Privacy regulations are complex, it’s true. But they’re manageable for each and every business with the right approach. If you’re at the beginning of your privacy compliance journey (cue inspiring music), here is what you need to know about CCPA and your business.
The number one question we get from clients is, So do I need to worry about CCPA or not?
CCPA applies to for-profit businesses that operate in California, collect and control California residents’ personal information, and meet one of the following requirements:
- Annual gross revenues over $25 million
- Collects personal information from more than 50,000 California residents, households, or devices each year *
- Receives 50% or more of annual revenue from selling California residents’ personal information
*The threshold for personal information collected will be raised to 100,000 in 2023 when the California Privacy Rights Act becomes enforceable.
This may sound like it’s only for big corporations. It’s not. Researchers estimate as many as 75% of California businesses making under $25 million in annual revenue will be impacted by the law.
A consumer’s individual right to control how their personal information is used is at the heart of CCPA. Rights codified by CCPA include the right to:
- Know what information you are collecting about them and why
- Request you delete their information from your databases
- Know what third-party companies you are sharing their data with or buying their data from
- Mandate an opt-in response before selling data for anyone 16 and under
- Opt-out of the sale of personal information
The last one—the right to refuse the sale of personal information—is the big one. With a broad definition of what makes up “selling” data (selling, renting, releasing, disclosing, disseminating, making available, or transferring…a consumer’s personal information for money or something else valuable), this requirement can be the slipperiest to grab onto for businesses.
If you allow third parties to use the data you collect for their own purposes and need to be CCPA compliant, you have to have secure, efficient data mapping processes that let you identify, modify, and remove personal information for consumers within CCPA’s timelines.
That means you need to:
- Have processes for submitting individual rights to know/delete requests. This should include at least two ways to submit requests.
- A toll-free phone number is required, except for online-only businesses—an email address can take the toll-free number’s place.
- Generally, all companies can provide either a web form or email address to submit requests.
- Before you finalize your processes, review with a privacy professional to make sure you’re making the right choices.
- Know you can meet the strict 10-day request confirmation and 45-day completion timeline
- Know your team can correctly identify and verify consumer information records
CCPA-compliant privacy notices must be accessible and specifically state what type of information you’re collecting, what you’re doing with it, and who you are sharing it with. It also needs to clearly detail the rights your consumers have. (See above).
What’s more, you have to tell consumers all of that at or before the time of collection and provide an (obvious) Do Not Sell My Personal Data button on your home page.
CCPA requires you to maintain reasonable security procedures in place to protect sensitive consumer information. The legislation doesn’t lay out what a “reasonable security procedure” is, but the first thing you need to do is make sure you understand the full life cycle of a data record. This means you need to know what information you collect, why you collect it, when you collect it, where you store it, how long you keep it, and who you share it with.
Other things that should definitely be on your to-do list include:
- Restricting and updating your permitting access structures (You’d be surprised how many companies forget to remove former employees from their systems)
- Strengthening your business’s software/hardware update and patching processes so you don’t leave your systems vulnerable to hacks
- Creating company policies for strong passwords, VPN use (no public Wi-Fi!), and the separation of work/personal devices
- Encrypting data at rest and when it’s transferred to other companies.
After you tackle those steps, consider a privacy and security assessment for your system and for each of your service providers.
CCPA is just the beginning. It’s America’s first broad data privacy law, but it’s not even close to the last. Being CCPA compliant will allow your business to rapidly adapt to the changes that are already visible on the horizon.
CCPA’s successor, the California Privacy Records Act (CPRA), has already been passed by California voters. CPRA clarifies vague sections of CCPA, adds additional consumer protections, and adds civil liability exposure for your company if a data breach exposes your customers’ sensitive personal information.
Excluding the right to access, CPRA, as it’s written now, will apply to the personal information you collect from your customers on or after Jan. 1, 2022. This means that even though CPRA doesn’t go into effect until January 2023, you need to be able to effectively track individual data records by the end of 2021.
Being CCPA compliant will effectively accomplish that and make your journey toward CPRA compliance much easier.
CPRA also dramatically increased the likelihood we’ll see robust enforcement action by creating and funding the California Privacy Protection Agency, which will have significant funding and staffing to handle privacy complaints. With CCPA enforcement managed by the office of California’s Attorney General, businesses have been able to skirt scrutiny or avoid being handed privacy violations. This will be considerably less likely with CPRA’s increased level of scrutiny.
Nevada, Maine, Massachusetts, New York, Vermont, and Illinois also have data protection laws on the books though they differ in many ways from CCPA and are not considered as comprehensive a privacy law. Other states have active bills pending. Even if none of these pending laws match California’s standards, the odds are very high there will be a regulation in your state in the next five years. If you can get your company CCPA compliant now, matching future requirements will be faster, more efficient, and less expensive.
Nothing is worse for e-commerce than a data breach. Hacks often result in embarrassingly bad publicity, but they also deliver a blow to your reputation with consumers that translates into lost sales and decreased revenue.
It’s not just about consumer trust, though. Non-compliance also presents a real financial risk that could drain your reserves while your sales are down.
Under CCPA, failure to resolve non-compliance issues within 30 days of notice can result in an injunction that could close your business. You could be subject to a $2,500-7,000 per record penalty from the state of California. CCPA’s threshold for data collection is 50,000 records a year. Getting charged $2,500 or $7,500 for even a fraction of that many records is a lot of money.
Moreover, individual customers can sue you directly if there is a breach of non-redacted or non-encrypted data to the tune of $100-750 per record.
Even great privacy data programs will fail if your employees and vendors don’t understand it. Start training your employees on CCPA compliance and data privacy best practices now. If your vendors can’t or won’t meet your expectations, find new ones.
Before you go thinking that privacy belongs solely to the world of IT workers, remember what an interconnected, hyperlinked, information-sharing world we live in. From your marketing department to your sales team to your customer service representatives, privacy compliance and training should be addressed at every level of your business.
It takes time to develop a strong privacy awareness culture, so don’t waste any more of it.
Consumer data isn’t just a tool — it’s the world’s most valuable currency. You need to guard it as carefully as you do your patents, copyrights, and product formulas. Even if CCPA doesn’t technically apply to you, consumers have little tolerance for businesses that play fast and loose with their personal information.
Instead of viewing privacy requirements as a cost center, think of them as a core value-add that builds trust with your customers and individualizes their experience.
Digital trust, or how much confidence users have that a business is behaving ethically online, will be a key consumer issue over the next decade. Getting CCPA compliant now will create the strong foundation you need to adapt to the data privacy infrastructure that is being built around you in real-time. Rather than getting boxed in, build the privacy practice scaffolding that will save you time and money in the long run.