Looking to become CCPA compliant quickly? In this article, MatrixPoint introduces five simple steps you will need to take to ensure that your company complies with the CCPA.
The California Consumer Privacy Act, or CCPA, went into effect on January 1st, 2020, and by July 1st, 2020 the California Attorney General will begin enforcing the act as well as the penalties it carries for businesses who do not comply with the new privacy laws.
Because of the hefty penalties that will be levied against businesses that fail to become CCPA compliant, it’s incredibly important to ensure that your company complies with the law.
The CCPA essentially exists to provide more privacy rights to consumers in the state of California by giving them the choice to opt-out of having their information collected or shared by businesses for marketing purposes and allows consumers to request that their information is deleted.
Businesses impacted by the CCPA are also required to verify the identity of all consumers making these requests.
Not all businesses are affected by the CCPA. The CCPA law only impacts businesses that collect and share information for over 50,000 California residents, who receive over 50% of their earnings from selling personal data, or who earn $25 million a year in revenue.
If your business qualifies for CCPA under one of the conditions above, then it’s incredibly important to ensure you are compliant with the new law as soon as possible as CCPA penalties and fines can get quite expensive.
Here are 5 quick steps to ensuring that your business complies with CCPA:
The first important step in becoming CCPA compliant involves updating and rewriting public notices and privacy policies to ensure that consumer CCPA rights are clearly stated and easy to exercise.
The CCPA, requires that these policies are updated to reflect what kind of information is being collected, how it is being collected, and which 3rd parties, if any, are receiving the information.
Any future updates would come from the state of California’s Attorney General’s office, and failure to comply with these rules or any of the requirements of the CCPA will result in penalties.
Data mapping is a key component to becoming compliant with the CCPA. You will need to consolidate all of the collected data and have it readily available in the event that consumers request that it is not shared, or deleted entirely.
That means you need to have a process in place for determining what data you have and who that data is being shared with. You’ll also have to be capable of identifying consumer information on-demand and altering the way you handle that consumer information if requested to do so.
For the purposes of the CCPA, personal data requests require that you’re capable of looking back from the time of request for a period of 12 months, identifying what specific information you collected, and whether or not it was shared with an affiliate or any 3rd parties.
Failure to comply with a consumer’s request for this information will be viewed as an intentional violation of the CCPA.
The CCPA requires that you evaluate your current vendor contracts and make amendments to those contracts to ensure they’re in compliance with new CCPA regulations.
This only includes vendors that have access to the personal data covered by the CCPA.
You will need to change the contract to adhere to the data privacy restrictions that are laid out in the CCPA, and again, failure to comply with this restriction will result in fines and penalties.
Once you have inventoried all of the data and determined how it is disseminated, you will need to create a company-wide data governance system.
It’s important that everyone at the company is aware of how to access this data, how it is used, where it is going and why it needs to be secured.
It’s critical to evaluate your data security measures as well because any data breach, intentional or unintentional, could result in penalties. Therefore, make sure you examine whether or not your current security protocols are sufficient to prevent a data breach.
Because fines and penalties for data breaches can be extremely costly, this requirement means that you may want to consider requesting the assistance of a data privacy management specialist.
All employees at your company needs to understand not just the importance of privacy data compliance, but also the consequences of failing to comply with the CCPA.
For many companies, this will require retraining current employees and familiarizing them with how CCPA rules will change their current tasks and workflows.
You may also need to amend your training manuals and language to adhere to the CCPA. If you have a good system in place and have properly inventoried your data, training your employees on how to comply with the CCPA and respond to information and deletion requests should be relatively easy. But, for many companies that have not paid specific attention to data protection, this could be a serious challenge.
Make sure to inform your employees of the risks that come with failing to comply with the new CCPA restrictions, and emphasize how important it is to your business’s integrity that you are perceived as compliant.
Failure to comply with the CCPA will not only cost your company a great deal of money in fines, fees and penalties, but because of the transparency that the act provides, it also has the potential to give consumers a negative impression of your business.
If consumers find that your company is violating CCPA guidelines, they will be more likely to pay attention to how your company is obtaining and using their information, which could seriously hamper sales efforts.
The CCPA promises businesses that they will be penalized for violations. These violations fall into two categories: intentional, and unintentional. Whether or not the violation was intentional or unintentional directly plays into how heavily you will be fined.
Penalties for Intentional CCPA Violations
An intentional CCPA violation penalty maxes out at $7,500 per impacted California resident unless of course, the damages themselves were greater than that amount.
Intentional violations include sharing or selling a consumer’s information after they have chosen to “opt-out” or failure to cooperate during the 30-day curation process following a violation.
Basically, an intentional violation is created if the company can be shown to be purposefully neglecting consumer requests.
Conversely, unintentional violations max out at $2,500 per impacted California resident or the value of the damages if they are greater.
An unintentional violation is more than likely going to be the result of an outside data breach caused by weak security protocols that expose the personal data of consumers.
Although the $2,500 max fine seems like a lot less than an intentional violation, it’s important to remember that the fines are “per California resident”.
In the event of a negative data breach, you run the risk of having all of your stored data exposed, and depending on how many people are impacted by the breach, that could lead to massive fines.
Whether your company deals with the data of hundreds, thousands, or millions of consumers, the risk of being penalized for unintentional violations through data breaches can become extremely expensive.
You need to ensure that you have strong enough security measures in place to prevent the possibility of a hacker or any other type of data breach that would expose consumer information because even if you are fully compliant with CCPA rules in every other way, a data breach will lead to significant penalties.
The California Attorney General’s office will primarily be the entity penalizing offending businesses, but the CCPA leaves room for consumers to file suits against businesses as well.
Penalties begin on July 1st, 2020.
The road to CCPA compliance imposes sweeping and overwhelming changes to data protection rules, but taking the steps one at a time may make complying with the act easier.
Once you have updated your public disclosures and privacy policies as per the CCPA, your business will need to be fully ready to start processing consumer requests about their privacy information. Remember, this includes not only telling consumers what data you have about them and who it’s been shared with, but also the capability of deleting it upon request.
Take a close look at what personal data your company collects, how the personal data that your business has is used and with whom it’s being shared. The CCPA does not strictly prevent businesses from sharing information with 3rd parties, but it does require that you have the capability of informing consumers if you are sharing their personal information.
And since you must be capable of providing consumers with the option of opting-out of the sale and use of their information, you’ll be responsible for ensuring that the 3rd parties you share their data with are only allowed to use this information if given the expressed consent of the consumer in question.
It is important to remember that the “sharing” of information does not only pertain to sales. If you are providing a 3rd party with personal consumer data in anyway whatsoever, even without any payment information, you must still disclose this sharing. To handle all of these requirements, you’ll need to create a database to access all of this information. The CCPA also includes specific requirements in regard to data storage and it is important that you review them before beginning work on creating your new system.
Determining how to handle the number of “opt-out” and deletion requests may prove tricky at first, but compliance is well worth it as it’s the only way to avoid significant fines, fees, and penalties.
To get your organization compliant with the CCPA, you’ll likely need to assemble a compliance team, task-specific employees with verifying whether or not your business practices fall in line with specific CCPA restrictions, and hold meetings and training sessions to inform all pertinent team members about the new rules.
Remember that even if you have all the proper language in your policies and have all of the data inventoried perfectly, it only takes one employee improperly responding to an information or deletion request to end up being penalized.
The best way to ensure that your company is fully compliant with CCPA restrictions is to hire a data consumer privacy consultant who can review your current operating practices, inform you where there are issues, and help design new systems, policies and procedures that ensure you are compliant with the new law.
For assistance in ensuring that your company is able to quickly become CCPA compliant, schedule a free consultation with MatrixPoint. Call us at 800-683-6983, or simply fill out our contact form.