If your company collects data concerning California residents, you should take time determining whether your company is going to be subject to new liabilities and obligations under the CCPA. So, what is the CCPA?

The CCPA is the California Consumer Privacy Act. This act encourages data privacy compliance by businesses and companies regarding the collection, use, sale, and other disclosures of consumer personal information. The CCPA is intended to give consumers a broad range of rights to not only access their personal information but to also control how that information gets shared by companies.

As a result, companies and businesses will need to alter their operations, procedures, and policies to adhere to the privacy compliances and outlines set forth by the CCPA to comply with California residents’ information rights.

The CCPA becomes operative on January 1, 2020, and will be enforceable by the California Attorney General starting on July 1, 2020. This date may be moved up if regulations pertaining to the CCPA are issued quickly.

Non-compliance to the CCPA will result in backlash for businesses and companies found to be ignoring CCPA requirements. Not only are there fines of up to $7,500 per intentional violation, but there are also reputational risks to companies and businesses involved. Businesses who ignore the CCPA compliance requirements will risk their reputation being smeared, and will inevitably lose consumer trust, which results in a lack of future sales.

With that in mind, your business must be adequately prepared for the institution of CCPA. Our CCPA compliance checklist will help you understand how to comply with CCPA requirements.

Does the CCPA Apply to You?

CCPA will primarily apply to businesses that are for-profit. Businesses that see over $25 million in annual gross revenue are the most likely to be evaluated first.

However, your business will also need to comply with CCPA requirements and regulations if you receive or share the personal information for 50,000 or more customers and consumers, households, or devices.

Additionally, if your business receives more than half of its annual revenue from sales of private consumer data, the CCPA will apply.

Even if a business does not fall into these categories, it is still important to adhere to the CCPA data privacy compliance or to maintain a strict and accurate understanding of the law as it pertains to your business. At any time the law can be updated or changed, and your business may become liable for any violations within a 12 month period.

The CCPA does not only apply to businesses that are only based in California. A business does not have to have a physical presence in California or even in the United States to fall under the word of this law.

It should be noted, though, that an amendment to the CCPA exempts insurance institutions and agents as well as support organizations from having to comply. This is because these entities are already subject to similar regulations under the California Insurance Information and Privacy Protection Act, or IIPPA. 

Take an Inventory of Personal Data

Taking an accurate and full inventory of any consumer personal data that your company has collected, is collecting, and will collect in the future is an important first step of compliance with the CCPA. This step will help you to determine how the CCPA’s new requirements will apply to your business.

Even if your business is in compliance with other privacy laws, they may not fully comply with CCPA. It covers a wider range of personal information than the majority of other U.S. privacy laws. CCPA covers any information that can be associated with a consumer, including purchase history, browsing or search history, IP addresses, and more.

Prepare to Execute Access & Deletion Requests

CCPA will allow consumers to not only access their data that’s been collected and control how it is used by a business, but it also allows these same consumers to have the data deleted upon request.

Not only will you have to process information access requests, but you’ll also have to handle and follow through with deletion requests. Whether your business can quickly and accurately address and respond to these requests depends on your ability to locate the relevant personal information within your systems.

Additionally, you will have to make adjustments to operations regarding these requests. You will have to verify the consumer’s identity any time a request is made. You will also need to assess exactly what expectations will be available to your business, as well as what expectations you will be held to or accountable for.

Find Out How You’re Sharing Personal Information

Do you know exactly how your business is sharing or sending personal consumer information to other entities or companies? If not, you need to find out. CCPA will force businesses to allow consumers to opt-out of any sales of their personal data or face penalties.

Consumers will have to be informed about any requests regarding sales and other disclosures of their personal, protected information. Sales do not have to be strictly monetary. Any transfer that includes personal consumer information being exchanged for anything of value is recognized as a sale under the CCPA, and consumers will be permitted to opt-out.

Determine if You’re Sharing Personal Information with Affiliates

Does your business work alongside any affiliates or share information between the entities? If so, you need to evaluate how you’re sharing that information.

Under CCPA, a single business includes any entity that shares branding, names, marks, or is controlled by the same business. Any corporations outside of these bounds are considered an affiliate if your company works with them, including those with different branding or that are not within the parent-subsidiary relationship of your company.

CCPA does not, however, exclude certain instances of intragroup sharing. More to the point, it doesn’t specify if this kind of sharing is to be considered a sale or not. This may be clarified in any future amendments to the CCPA or the interpretation of the law may be determined further by the California Attorney General’s office.

Given the uncertainty caused by the expulsion, however, it’s a good idea to prepare for all sharing to be scrutinized. This includes intragroup sharing.

Preview Contracts & Update Your Public Disclosures

This is an important step, as it helps you take advantage of current CCPA exceptions that relate to sharing consumer data with vendors that your business works with or alongside. Your business’s vendor contracts need to have specific provisions outlined in them.

You and your business should determine whether amendments to existing contracts need to be made. You should also implement updates to the standard terms.

Regarding public disclosures, CCPA will be requiring businesses to offer and provide new notices about the updated policies and procedures. These notices will include informing consumers of their rights to access, delete, and opt-out of any potential sales of their personal information.

Taking this step will help to improve and solidify your business’ relationship with consumers. Your public disclosures will let them know that you are taking the necessary steps to allow them to exercise their rights fully and completely regarding their personal information.

Decide if You’ll Need to Modify Services for Consumers Who Exercise Their Rights

Undoubtedly, many consumers are going to opt-out of having their personal information and private data sold or traded to other entities. CCPA prohibits any business from discriminating against any consumers who choose to exercise their rights.

However, CCPA also allows businesses to offer financial incentives regarding certain data collection practices. It also allows businesses to treat their consumers differently wherever it is reasonably related to the overall value afforded to the consumer by the information being shared.

What this all means is that your business needs to carefully consider incentive programs, whether you currently offer them or not. Additionally, you need to have an idea or plan in place for how to properly respond to consumers that continue to and intentionally block the sales of their information, or exercise other rights under the CCPA.

Find Out If You Collect Personal Data from Children Under 13, and/or Teenagers 13-15

If children access your website and you collect their personal data, you need to be aware of it. CCPA has specific, special consent requirements where children or teenagers are concerned, particularly if they are under the age of 16.

Where necessary, your business will need to meet the CCPA compliance requirements in ways that align with the federal Children’s Online Privacy Protection Act. This is otherwise known as COPPA.

COPPA was enacted by Congress in 1998, so your business should already comply with this act. If not, you could face further legal repercussions as the law deems fit. COPPA requires that the Federal Trade Commission issues and enforces regulations that concern the online safety, privacy, and protection of children.

Primarily, the goal of COPPA is to give parents full control over what information is collected regarding their underage children online, including on business websites. These regulations also apply to any online services or mobile applications, or any other means of collecting, using, selling, or otherwise disclosing the personal information of children.

The CCPA has additional special requirements and permissions where children and teenagers under the age of 16 are concerned, so even if you are complying with COPPA, you may not be fully in compliance with the new CCPA requirements.

Review Your Data Security Practices

You will need to review the data security practices of your business. While the CCPA is limited on requirements involving security and breach response, the penalties may be severe. Additionally, CCPA may work in tandem with GDPR under certain circumstances.

GDPR is the General Data Protection Regulation. It is a legal framework tasked with setting the guidelines that cover the collection and processing of any individual’s personal information. This applies to consumers in the European Union. However, any business or website that complies with the standards and regulations of the GDPR will likely still need to take further courses of action to comply with the requirements set forth by CCPA.

CCPA has particular requirements concerning information tracking, access, and data storage. The compliance and security team for your business will have to work closely alongside your database administrators to make sure all regulatory requirements are being met.

Any of the tools that your teams elect to use to help with CCPA compliance will need to have full visibility into data that is stored across the entire affected corporate environment. Additionally, your team will be tasked with ensuring that any access to this data is properly secured and protected.

The task of securing and protecting this data is complicated further if your business uses cloud storage and providers because oftentimes the data is not as secure from the beginning. Additionally, if your employees have set up file-sharing accounts to keep track of marketing or sales contacts, things could become complex if not chaotic.

Mitigate Liability Exposure

You may also need to mitigate any kind of liability exposure. CCPA will boost liability exposure, giving consumers a private right of action.

These actionable rights are linked to statutory damages for consumers whose information may be subject to any kind of security breach due to the business's failure to provide reasonable or expected security measures.

If these security measures are lacking, CCPA affords a business 30 days to fix any alleged violations before the business will be forced to face statutory damages.

For this reason, it’s important for you to not only review, revise or improve the security measures for your business and website, but it’s also important that you review the cybersecurity insurance coverage you have in place for your business.

This provision outlined in the CCPA is very likely to increase the frequency, and the overall stakes, of any data security litigation for a variety of businesses. 

Monitor CCPA Updates, Rules, Changes & Announcements

Even after you’ve taken into account all of the above factors, and have made the appropriate changes and alterations, you need to continuously monitor CCPA for updates. The basic framework of the law is not likely to change, however, there might be small additional nuances, edits to the rules, amendments, and so on that could affect your business.

Important updates can be made in several ways. Things like the beginning enforcement date may be affected if the regulation comes from the California Attorney General. There may be potential legislative amendments, or a new federal law could be enacted.

In addition to the points listed above, you will also need to:

• Interview any internal privacy stakeholders such as CCO, CRO, and CPO. Create, map out, and institute an organizational privacy vision, and then structure a dedicated privacy team. Have this team composed of both legal and operational departments.
• Map and inventory the relevant data. Make sure that you document all consumer privacy-related information repositories and clock the data life cycle. Review any systems related to consumer privacy data. Also, be sure to review any agreements with third-party entities that have data access.
• Prepare the relevant training materials and properly train your employees and data security personnel to handle the new law and regulations. They should be instructed on how to handle, process, and fulfill personal information requests made by consumers, including the verification, access, and deletion of relevant private information.
• Find, invest in, and prepare technological solutions that can and will process any consumer requests that you receive. This includes the consumers’ rights to opt-out of any sale or trade of their personal information.
• Conduct third-party audits of any of your business’ service providers that may have access to your consumer personal data and information. Make sure that your service providers are also in compliance with the CCPA, or you may be held liable for their negligence as well.
• Create and maintain a privacy inbox and respond to consumer requests in a timely and accurate fashion.
• Report directly to any compliance regulators concerning any updates, problems, or concerns.
• Document any gaps in policies, procedures, third-party data-sharing agreements, and more. This also applies to any employee training, privacy notices, and customer or consumer communications. Create recommendations and plans to close any gaps, and come up with an implementation plan and timeline for when the gaps will be taken care of.

Contact MatrixPoint for Assistance

If you find that you need assistance getting your business or company ready for the starting operation of the CCPA, or if you need to prepare for when the law will be enforced, you should contact MatrixPoint. We can help you prepare your business to adhere to the CCPA compliance requirements as outlined by the law.

Schedule a consultation with MatrixPoint to learn more about our data privacy management solutions.