CCPA compliance is incredibly important as privacy breaches can lead to large fines, fees and penalties. This article explains the new CCPA statute, how it impacts business, and how to find out if your business is compliant.

The passing of the California Consumer Privacy Act (CCPA) has brought about sweeping changes to businesses dealing in the collection and exchange of personal data.  The CCPA statute went into effect on January 1st, 2020, but the state of California’s Attorney General will not start imposing penalties for businesses that are not in compliance until July 1st, 2020.

The CCPA affects companies bringing in $25 million or more in revenue, companies earning more than half of their annual revenue through the selling or sharing of personal data, and companies possessing the personal information of over 50,000 consumers, households, or devices.  

Failure to comply with the new CCPA regulations carries very heavy risks, so businesses need to take steps to become complaint as soon as possible.  These risks include facing penalties of up to $2,500 per unintentional data breach, and up to $7,500 per intentional breach. Those costs are per California resident, per breach of information, so you can see how these fines can scale into the millions of dollars if steps are not taken to ensure compliance.

The purpose behind the CCPA is to provide California consumers with more personal data privacy. The CCPA forces businesses to disclose how they’ve obtained the consumer’s data and what is being done with it, in addition to providing consumers the opportunity to request access to the data, as well as for the option of requesting that the data be deleted. The consumer can also choose to opt-in or out of having their personal information shared.

Getting compliant with the CCPA is a complicated process, so it may make sense to hire a data privacy protection specialist to help you navigate the requirements of this complex legislation. If you’re looking for assistance in getting CCPA compliant quickly, then contact MatrixPoint for a free consultation by calling 800-683-6983, or filling out our contact form

How Do I Know If I Am Not Compliant?

Luckily, determining whether your business is CCPA compliant is a relatively easy task, as the act specifically outlines all of the actions needed to be taken to comply. In fact, you won’t need to go much further than your site’s homepage to determine whether you are in compliance.

Does your business’s homepage feature “Do Not Sell My Information” links? If not, then that would be the first strike against you. Under the CCPA, affected businesses are required to update their webpages to provide a clear and concise link allowing consumers to opt-out of having their information shared or sold.

Does your business’s homepage provide a clear way for users to send a CCPA request? Under the CCPA, users must be able to request detailed instructions on how and why their information has been collected as well as whether it’s being sold to 3^rd parties and who those 3^rd parties are.

If your site’s homepage doesn’t offer a clear path for users to request CCPA information, then your business is not in compliance. These two key indicators are easy fixes, and failing to update your business’s homepage accordingly is likely to result in CCPA fines, fees, and penalties.

Who Can Tell If I Am CCPA Compliant?

Every single California web user can determine if your business is compliant. As stated above, the homepage alone would tell any user whether or not your business is compliant. If they were to venture into the privacy policy page, that would be a dead giveaway as well.

The CCPA requires that the privacy policy must be amended to reflect the new data privacy protection rights the act affords to users, including what kind of requests they can make of the business as well as choosing whether the business can continue to store and use their privacy data.

Because of the fact that the CCPA puts the power in the hands of the consumer and offers them transparency like never before, people are likely going to be exercising their rights (with or without the assistance of lawyers looking to capitalize on the new system for quick financial settlements).

Accordingly, it’s incredibly important that your web page and privacy policy clearly indicate your compliance with the new CCPA restrictions. This simple update may save your business the trouble of having to deal with hundreds, thousands, or even millions of consumer complaints, allowing you to avoid costly litigation, fines, fees, and penalties.

However, even if all the necessary information is present on the home page and within the privacy policy, your business may still not be in compliance with the new CCPA regulations because it actually has to abide by new data privacy protections and restrictions as well.

Even after you’ve updated the homepage and privacy policy to present information about how users can make a request for their data, your business still needs a process in place to efficiently respond to those requests per the new CCPA rules, otherwise, consumers will be able to tell that your business is not in compliance and this will lead to them making a formal complaint.

Pretending like you’re CCPA complaint, but failing to actually do so is almost certainly going to be categorized as an intentional violation of CCPA rules, and is going to result in fines of up to $7,500 per violation, or whatever the actual financial damages are if their total surpasses that amount. This is why it’s important for your business to provide the necessary information to inform users that you are compliant, but also to have a team in place that will properly respond to consumer requests for privacy information.

Because the CCPA sets a new standard of consumer privacy in the state of California, users are likely to pay close attention to which websites are falling in line with the act, and it’s likely that groups of users will attack businesses known to be out of compliance. Therefore, it’s important to not only comply with the CCPA but also to be perceived by consumers as being one of the “good” businesses that is following the new law’s restrictions, as this will help your business avoid getting flooded with consumer privacy data requests.

CCPA Guidelines For Businesses

At first, many businesses were scrambling at the announcement of the CCPA wondering just how significantly the new guidelines would affect their operations. All of the new guidelines and regulations may seem overwhelming, but knowing where to begin on the road to compliance is half of the battle.

Because customers will be required to have easy access to make information and deletion requests, you’ll need to have all of the necessary information readily available. This means assigning a compliance team or a specific employee to sort through the information and categorize it per the new CCPA specifications.

This includes providing a full history of the consumer’s information you’ve stored, used and sold, going back a full 12 months from the time of the consumer’s request. The CCPA guidelines even offer specific instructions as to how this information needs to be organized to be “visible”, meaning easy to discern.

How to Get CCPA Compliant Quickly

1. Update Your Public Disclosures

If the nature of your data collection and what is being done with that data is not expressly stated in public disclosures available to consumers, then your business is likely to be red-flagged as not being compliant with CCPA restrictions.

In the business’s public disclosures, you need to include specific statements required by CCPA regulations, including the exact rights of the consumer as well as the fact that they can make requests for access to their information and requests to delete it.

Once your public disclosures are in order, you need to make sure that your business has a process in place for handling CCPA-driven consumer requests for their private data too. When a user makes a request, it is required by the act that you first verify his or her identity and then respond in a timely manner.

2. Update Contracts with Third-Party Vendors

Depending on the operations of your business, you more than likely have affiliates or 3^rd party service providers that you share personal data with too, and if that is the case, then you will also need to review whatever contracts you have with them to determine that all of your arrangements are CCPA complaint.

The CCPA does not prohibit businesses from sharing information with 3^rd party service providers; however, it does limit any future data transactions. Your business must also inform the consumer if their information is being shared with a 3^rd party as well as providing them the chance to “opt-out” of the sale or sharing of their information if they so choose.

It is also important to audit any 3^rd party service provider or vendor that you are in business with to determine whether their practices are CCPA compliant. Even if your business is CCPA compliant, your affiliation with a 3^rd party that is not compliant could lead to you being held accountable and ultimately penalized for their actions.

3. Check for Data from Minors

Examine the data inventory that your compliance team has compiled and determine whether any of the consumer data you have is from a minor. The CCPA has strict consent requirements for collecting data of children and teenagers up to the age of 15 years old, and failure to comply will lead to fines.

This also falls in line with the Children’s Online Privacy Protection Act which similarly seeks to protect the privacy and personal information of minors on the internet.  You must get the consent of the parent or guardian of a minor to share their information as well as providing them with access and deletion requests.

4. Create a Process for Responding to Consumer Requests

Possibly the most important aspect of CCPA compliance is creating a process for how your business responds to consumer requests.

You will need a system in place for fielding and handling the incoming access, opt-out, and deletion requests consumers make, while also efficiently verifying the identity of users making those requests.

Why is this so important? Because this is the core of the new CCPA rules; your business can’t just say that it allows consumers to request the personal data you’re collected on them, you have to actually be able to field those requests and respond to demands to delete or stop sharing their data.

To prevent your business from getting hit with CCPA fines, fees and penalties, it’s important that you implement a clear system for fielding these sorts of consumer requests.

Giving your employees a refresher on customer service as well as a thorough rundown of the CCPA should make it clear how important prompt and informative responses are to staying in compliance.  

Unless you are going to implement technology to automatically handle user requests, assign a specific department or employee with fielding the requests because as time goes on, your business will need to stay on top of them, as failing to respond to a single notice could end up leading to fines and fees.

In all likelihood, if you’re a large business impacted by the CCPA, you are going to need to assemble a privacy team. This team will be responsible for ensuring consumer privacy protections and putting safety practices into place, and it should include legal department members in addition to data compliance officers.

5. Update Your Security Protocols

Ensuring CCPA compliance may also require updating and modernizing your data security measures.  If by chance your security protocols are out of date or simply are not strong enough to withstand a cyber-attack of any sort, you are at risk of falling victim to a hacker or any other unintentional data breach, and under the new CCPA guidelines, even unintentional data breaches can become quite expensive.

You may want to consider investing in privacy technology and software to fortify your business against cybersecurity threats. With over 300,000 cyber-attack reports each year, spending the extra money or expanding your web security team may be well worth avoiding the risk of unintentional data breaches, especially since fees are calculated based on the number of individuals involved.

Should I Hire a Data Privacy Consultant?

With the help of a consumer data privacy consulting service, you can more easily discern what steps need to be taken to ensure that your business is fully compliant with CCPA regulations.

A data privacy expert can look at your data, evaluate your security systems, and inform you of exactly what needs to be updated to ensure you aren’t hit with CCPA fines, fees and penalties.

They can help build your system for responding to CCPA requests, train your compliance team to handle requests and data breaches, and identify any security threats or flaws in your data privacy plans, allowing you to properly prepare for CCPA enforcement.

Data privacy experts are also paying close attention to future updates to the CCPA, and can inform you when laws, restrictions or guidelines are altered to ensure that your company remains in compliance with whatever updates eventually emerge.

Contact MatrixPoint For Assistance

If your business isn’t CCPA compliant, then you’re leaving yourself open to all manner of fines, fees and penalties, as well as consumer backlash for failing to protect consumer privacy data.

To protect your business from the new CCPA regulations and ensure you can become CCPA compliant, schedule a free consultation with MatrixPoint.

Call us at 800-683-6983, or simply fill out our contact form.