If you operate a business in California, you know that the California Consumer Privacy Act (CCPA) became law on January 1 this year. Similar to the EU’s General Data Protection Regulation (GDPR), the CCPA seeks to offer the state’s consumers greater control over the sharing of their personal information by businesses. For example, consumers can request to see how companies use their data and even opt-out of having their data sold.
Despite the regulation’s intention of better protecting consumer privacy, many businesses are finding it difficult to fully understand whether they are covered by the law—meaning whether they are required to comply with it. Further, there are even more questions about how the law will actually be enforced and what businesses should do to remain compliant. Gaining greater insight into these queries will help organizations take the appropriate next steps and avoid the dreaded civil action and financial penalties.
Determining CCPA Coverage
The first thing a company needs to do is to determine whether it’s covered by CCPA, which will guide what additional processes and safeguards are necessary to comply with the law. According to the regulation, the first step to determining CCPA coverage is assessing whether any of the following applies to your profit business:
• Annual revenue exceeds $25 million.
• Business engages in the buying, receiving or selling of personal information of 50,000 or more consumers, households or devices.
• Business derives more than 50% of its annual revenue from the selling of consumers’ personal information.
Assuming at least one of those criteria applies, an organization is considered a covered business if all of the following are also true:
• You are a sole proprietorship, partnership, limited liability company, corporation, association or other legal entity that is organized or operated for the profit or financial benefit of your shareholders or other owners.
• You collect consumers’ personal information, or someone collects it on your behalf.
• You alone, or jointly with others, determine the purposes and means of processing consumers’ personal information.
• You do business in California.
While not specifically addressed by the CCPA, a business that operates in another state but has online customers or employees in California could also be covered.
Additionally, an organization that doesn’t collect data itself but uses a third-party vendor to do so would also be subject to CCPA regulations, along with the vendor. The California Office of the Attorney General’s website is a good source for more details.
Getting Prepared
Another area of potential confusion is when enforcement of CCPA violations may begin. While the law became operational on January 1, enforcement of privacy-related suits cannot be initiated until six months after final regulations have been approved by the California Attorney General or July 1, whichever comes first.
However, that is not the case for suits related to data breaches, which became subject to enforcement upon the commencement of CCPA’s operational status at the start of the new year. As a result, it is critical to immediately implement the appropriate protocols if you haven’t already.
As you’re preparing to address CCPA compliance, it’s important to know that if you violate a consumer’s privacy, you may be able to “cure” the violation within 30 days of being informed and be absolved of being subject to penalties. If you experience a breach, the law allows covered businesses 30 days to address violations related to reasonable security practices without penalty.
For that reason, your business should first:
• Implement strong security policies and procedures: Set strong passwords throughout the organization. Enable two-factor authentication, and regularly patch your software.
• Conduct thorough incident response planning and training: Come up with a robust plan to address incidents when they happen.
• Institute access control measures: This mitigates insider threat and privileged access risk.
• Protect data at the record level: Secure what is most important (the data), as opposed to protecting your perimeter.
While these four practices should be at the top of your priority list, your preparation shouldn’t stop there. From a data protection standpoint, it is crucial to also:
• Identify where all collected consumer data resides.
• Adhere to strict data retention schedules and eliminate any data once it is no longer necessary to store.
• Review all business partners that collect data on your behalf and ensure that they are CCPA compliant.
• Consistently review and update data collection and retention policies to comply with changing laws and regulations.
At a higher level, it is critically important to have someone within the organization monitor the CCPA’s status for changes. There are aspects of the law that are still being determined, so keeping a watchful eye on it will prevent you from unintentionally falling out of compliance.
With consumer privacy regulations like CCPA and GDPR becoming the new normal, covered businesses will be more prepared as additional states enact similar regulations. This will be especially true if a federal privacy mandate becomes the law of the land. While the learning curve to protect data at more stringent levels can be steep, long-term benefits that extend beyond compliance—such as reputation management, increased consumer trust and greater efficiency—are well worth whatever initial discomfort you may experience.
In upcoming columns, I’ll take a closer look at other privacy considerations that any company can benefit from, such as simplifying data discovery, preparing for and recovering from a breach, creating updated data management protocols, and preparing compliance checklists.
