Stay compliant with CCPA with these top 10 critical factors
While most are well on their way to making good on their new year’s resolutions, many CEOs and CTOs are anxiously devising strategies and tactics to stay compliant with the California Consumer Privacy Act (CCPA), which went into effect on January 1, 2020.
The new data privacy standard brings privacy regulation to the U.S. in a big way, serving as both an addition to and a complement of Europe’s sweeping General Data Protection Regulation (GDPR), enacted in 2018.
The law reflects shifting consumer and regulatory priorities surrounding data security and personal privacy in the digital age. Since compliance is top-of-mind for companies in California, the U.S., and around the world, here is a ten-point checklist concerning the critical elements of the latest data privacy standard.
Factor 1: Purpose
CCPA is a consumer-centered regulation that places the responsibility for data privacy squarely on the shoulders of the companies collecting this information. Specifically, it grants consumers:
– The right to know what personal information is collected.
– The right to delete personal information held by businesses.
– The right to opt-out of sale of personal information.
– The right to non-discrimination when exercising privacy rights.
CCPA isn’t a broad-brush approach to personal privacy. Instead, it gives guidance to a specific set of standards that companies will need to address in the year ahead.
Factor 2: Application
CCPA applies to businesses operating in California that collect personal information on more than 50,000 people, that have a gross annual revenue of more than $25 million, or that derive more than half of their income from selling customer data. These are relatively low requirements, meaning the law will apply to a significant number of online and brick & mortar stores that rely on customer data.
Factor 3: Location
Unlike GDPR, CCPA is a state law that specifically applies to businesses operating in California that collect personal data for commercial purposes.
However, major tech companies, including Microsoft, have indicated that they will honor California’s standards for all U.S. customers. Given the law’s nuance, it’s likely that many companies will follow their example, and those pursuing compliance will need to account for this expansive scope.
Factor 4: Data Handling
To achieve compliance, many companies will need to entirely restructure the ways that they handle personal data. These changes are both philosophical and technological, as privacy initiatives need to be supported at every level of the company and by every digital touchpoint. It’s a significant task, but it’s central to meeting CCPA’s requirements.
Factor 5: Sell vs. Share
The law gives consumers the right to opt out of the sale of personal information, and this requirement extends to sharing customer data for non-monetary resources. As a result, companies sharing personal data for things like targeted advertisements or more personalized experiences will need to account for this information and provide consumers with a way to opt-out.
Factor 6: Employees
In many cases, employees are forced to sign waivers noting that they don’t have an expectation of privacy in the workplace. At the same time, monitoring initiatives collect copious amounts of data that assesses productivity, protects intellectual property, and everything in between.
However, under CCPA, companies will need to provide notice to employees and contractors detailing the scope and purpose of data collection.
Factor 7: Technology
This new employee and contractor disclosure mandate will undoubtedly have a significant impact on employee oversight initiatives. Until now, companies haven’t often considered employee privacy when engaging in monitoring and other oversight activities. In 2020, companies will need to augment their approach, ensuring that these actions don’t violate employee privacy.
With many options to choose from, every company can continue providing oversight while still maintaining regulatory compliance and securing employee trust.
Factor 8: Consequences
Like GDPR, CCPA uses the promise of financial penalties to promote compliance. These fines won’t begin until July 1, 2020, six months after the law’s enactment, but they can be costly for companies that aren’t prepared. For instance, the California attorney general can pursue civil penalties of $2,500 for each violation or $7,500 for intentional abuses after a notice period.
With many companies collecting information on thousands or millions of users, these fines can become a drag on any company’s bottom line.
Factor 9: Look Ahead
Data privacy is the new norm in the U.S. and around the world. Even before CCPA directly impacts companies, five other states, including Massachusetts, Minnesota, Pennsylvania, New Jersey, and New York, are drafting their own privacy laws that closely mimic California’s standard. At the same time, India is preparing to launch a data privacy law, a move that will further complicate companies’ compliance efforts.
Taken together, it’s clear that businesses shouldn’t shy away from putting their best foot forward when considering their approach to CCPA. It matters now, and it will matter even more in the future.
Factor 10: Align with Your Customers
Ultimately, CCPA compliance isn’t a hindrance put in place by government officials. Data security is a top priority for today’s customers and employees, and companies that comply both in spirit and in practice are aligning their business model with stakeholder values.
Therefore, as you prepare to roll out your compliance measures, do it with purpose, knowing that these new priorities may cause short-term pain, but they offer a long-term opportunity to meet this movement with new measures that will delight your customers, inspire your employees, and protect your digital assets now and in the future.
This article was originally published in IT Security Central and reprinted with permission.