Last year, the United States was listed as the global leader, in the science and technology markets. The US spends over $400 billion annually, in research and development costs to expand its science and technology capabilities. Along with these expanded capabilities, comes more responsibility to protect online data privacy rights for people as well.

One US state stepping up to meet these responsibilities is California. In 2018, the California Consumer Privacy Act (CCPA) became law and goes into effect by January 2020. By this date, certain businesses must move their existing privacy policies and data protection efforts closer to agree with these new laws. 

Are you ready to meet these new CCPA compliance rules? If not, check out our guide to learn more. Some of these new provisions may be a hidden game changer for those companies who aren’t prepared to comply.

What is CCPA?

The California Consumer Privacy Act (CCPA) is the California state regulation that boosts consumer protection and privacy rights for California residents. The CCPA standardizes what companies can do with the personal customer data information they collect.

This privacy bill allows California residents the right to learn what information a business has about them. CCPA also allows residents to opt out of that information collection exercise and direct businesses to eliminate what personal information they currently have on that customer. Under the CCPA, California residents can also prohibit businesses from selling their personal data to another party.

Examples of customer information subject to the CCPA include names, mailing addresses, social security numbers, and medical information. Customer technology metrics are also subject to CCPA requirements. These metrics include email addresses, online browsing and search history, and computer device IP addresses.

Who Must Comply With CCPA?

Not all California businesses are subject to the CCPA provisions. This California data privacy act only applies to those companies that earn 25 million in annual revenues, where 50 percent of those revenues come from personal data sales. Companies that sell or buy information for more than 50,000 individuals or households must also comply with CCPA.

Not all data collected by a business is treated the same under CCPA either. For example, data collected twelve months prior to 2018 is exempt from the provisions in CCPA. Any data for children under sixteen years old cannot be transferred to another party unless they and their parents have agreed to opt-in to have their information sold.

The CCPA also requires organizations to boost cybersecurity safeguards against releasing personal information to third-parties through either theft or unauthorized employee access. The deadline for complying with this California privacy act is January 1, 2020.

Steps to Help Move Closer to CCPA Compliance

The new CA privacy bill may create some compliance challenges for companies of all sizes. Here are some tips to help your company start moving in the right direction.

Appoint a Team to Lead the  CCPA Compliance Process

Designate a team of staff members to help direct compliance efforts by the 2020 deadline. This team should include staff members from your legal and IS divisions. If you have onsite records management professionals, these people should also be appointed to this initiative.

These professionals will lead the effort to understand legislative intent and how to re-program your company’s data inventory systems. You should also appoint your company’s cybersecurity professionals to lend their wisdom to the initiative for protecting un-redacted personal information.

Program and Categorize Your Data Inventory

Organizations need to have the technical capabilities to create and categorize their inventory of stored personal data. Companies will be asked to perform tasks such as verifying consumer identities and providing collected personal information upon the individual consumer’s request. These data inventories should also be ready to delete this information if the consumer asks them to.

Categorizing your data can also help you stay organized while complying with CCPA. Categorizing your data will make it easier to flag those customers who fall under unique criteria. This criterion could include categories for those who ask you to delete their information or fall under other overlapping information privacy statutes such as federal HIPAA requirements.

Update Your Privacy Policies and Notices

Your appointed compliance team should also lead you through the steps to update your companies written privacy policies. CCPA now requires companies to let Californians know what information you plan to sell or collect before you start accumulating it.

Your privacy policy is also an ideal place to clearly spell out how customers can delete their information on request or refuse to have their personal information sold. Be sure your website also has an easy link or “opt out” button for customers to use.

As a result, although the law is widely regarded as the United States most advanced privacy law, it also requires that

Review Your Existing Cybersecurity Practices

The CCPA also charges organizations to be directly responsible for customer data theft if they don’t have reasonable protocols in place to safeguard it. The law specifies that companies may owe statutory damages between $100 and $750 per person for any breach of their confidential customer data.

It’s wise for your IT professionals to develop privacy protocols that go above and beyond to protect your client’s personal information. Otherwise, your company may be liable for millions of dollars for any future breaches or errors in sharing access rights to your customer’s data.

Next Steps

CCPA compliance may be difficult, but it’s not impossible. If you haven’t done so, appoint your CCPA compliance team to guide you through this important process. This team can update your privacy policies and notices to bring your business further into compliance.

The California Attorney General’s Office is scheduled to have compliance regulations done by July 2020. In the meantime, inventory and map your current data. That way, you can flag those data sets that meet the unique aspects of CCPA.

If you want to gauge your own company’s CCPA readiness, give us a call. We can help you reach compliance with CCPA with minimal impact on your company’s operations or bottom line.