Here’s How to Ensure CCPA Compliance in Three Simple Steps
Following on the Heels of GDPR, CCPA May Create the Next Shockwave for Companies with Customers in California
The General Data Protection Regulation (GDPR) went into effect on May 18, 2018, effectively setting a tone for new regulations to protect consumer privacy.
Meanwhile in the U.S., similar regulations are already in place, governing businesses based in the U.S. Now comes a new data privacy regulation, the California Consumer Privacy Act (CCPA), which was signed into law on June 28, 2018 and goes into effect January 1, 2020. If your company does business with consumers in California, it’s likely on the radar already.
CCPA will govern businesses based in California and will apply to any business that earns $25 million in revenue per year or collects information for at least 50,000 customers, households or personal devices. Businesses that derive 50 percent or more of their revenue from selling consumers’ personal information are also subject to CCPA.
Waves of Anxiety
The year 2020 is just around the corner, but the time and effort required to achieve compliance is arguably the most critical factor. Businesses have until January 1, 2020, to comply with CCPA, meaning that their data privacy practices are subject to audit by CCPA auditors. With time ticking, CCPA readiness is lagging: According to a TrustArc survey, 86 percent of businesses are not prepared for CCPA.
Businesses that don’t comply by January 1 may be subject to stiff penalties. CCPA penalties (issued via civil cases from the attorney general) can reach up to $2,500 per unintentional violation and up to $7,500 per intentional violation.
The impending deadline is likely to cause waves of anxiety because businesses must not only change a number of business practices, but also deploy systems to implement new consumer rights.
And what about consumers? In short, their personal data is explicitly protected by CCPA. Personal data, as defined in Section 1798.140(o)(1) includes “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”
Take note that the CCPA amplifies the definition of consumer: “Californians are not just protected in their roles as consumers, but also as employees, patients, tenants, students, parents, children, etc.,” according to an analysis of CCPA shortly after it was promulgated.
The act spells out consumer protections in detail. Consumers have the right to:
- Know what personal information is being collected by a business
- Know the business or commercial purpose of collecting personal information
- Obtain a copy of their personal information
- Know if any of that information is being sold, and to whom
- Know categories of third parties with whom personal data is shared
- Opt out of having their information sold
- Take legal action when companies breach personal data
- Have their personal data deleted upon request
Know Your Path to CCPA Compliance
With less than four months remaining before CCPA goes into effect, California companies need to take stock of how they will achieve compliance – and put systems in place to document it. No process can do justice to the extreme complexity of the regulation, but a simplified three-stage process captures the essence of the challenge and can turn intentions into actions.
Analysis: Analyze your infrastructure to understand how data moves throughout your organization. Consider implementing a CCPA Data Map as a formal procedure for tracking data sources, what types of personal data is collected, for what purposes or applications the data is collected, how data is stored and processed, who has access to the data, and how and when data is disposed.
Implementation: Deploy internal processes on your compliance platform, such as data minimization. Implement new consumer rights, such as the right for consumers to access their data and the right to be forgotten.
Documentation: Document processing activities and policies, such as a personal data protection policy, data retention policy, and data subject retention form.
As the CCPA deadline approaches, there’s good news for companies that are subject to the GDPR as well: If they are already GDPR-compliant, they have completed most of their preparatory work for CCPA, as those regulations have a lot in common. Subject Right Requests such as the Right of Access or the Right of Erasure are included in both. However, companies must be ready to adapt, as the two regulations also differ in some parts, for example on the definition of personal Information or consent expiration.
Time to Achieve Compliance Is Key
If there’s a lesson to be learned from the slow pace of GDPR adoption and compliance, it would be that the time needed to achieve compliance is the key consideration. Starting January 1, 2020, CCPA can levy fines for non-compliance. While fines can be paid and it’s back to business as usual, the organization’s brand can be tarnished and the damage in lost reputation can last for years.
With the multiple risks of noncompliance in mind, it may be time to consider automating compliance processes. Platforms for automation can eliminate weeks or months of tedious, error-prone manual processes, and the documentation they produce provides proof of compliance to auditors.
And remember that your organization may be subject to two or more regulations. For example, organizations bound by GDPR and CCPA face the complexity of running two compliance programs in parallel. If you have a software platform on which you can run those consistently, you’ve taken the first step towards becoming and staying compliant.
By Sovan Bin
Sovan currently serves as CEO of Odaseva, a company he founded in 2012 to answer the need for better data protection and governance in cloud services. Sovan spent 6 years at Salesforce leading the architect team in Paris back in 2006-2012 where he was 1st CTA (Certified Technical Architect) in EMEA. Under Sovan’s leadership, the company has emerged as the leading solution for cloud data protection and governance.