By now, we’re all aware of the California Consumer Protection Act (CCPA) that was implemented on January 1, 2020. The disruptive but groundbreaking law is continuously pushing the U.S. closer to global privacy norms. It has limited American companies’ commodification of consumer data protecting consumers from data catastrophes like Facebook’s Cambridge Analytica scandal. Whether you run an SME or a bigger business, compliance with CCPA is essential. In this article, we assist you in understanding CCPA and getting your business compliant with this law.
What Is CCPA?
CCPA is a law that allows American consumers to demand that eligible companies disclose what personal data it collects about them. This includes companies like Facebook and Google, who now have to tell customers upfront about their data collection. In addition, American consumers can demand that a company delete all their data and stop them from selling personal data to a third party. Data that can be requested to be deleted include the following:
- Biometrics – facial recognition, fingerprints, voice patterns, etc.
- Purchasing history and considered buying history
- Internet browsing information
- Academic and employment information
- Geolocation data
Before the CCPA came into law, data management was more of an ethical opt-in option for many businesses. Since the law has been passed, companies will be held accountable and penalized if a company is hacked or data is used unethically.
With a brief understanding of what CCPA is, why it’s such a big deal, and how it could impact your business, it is time to ensure compliance.
4 Easy Steps To Ensure CCPA Compliance
1. Find out whether the CCPA applies to your business
Not all businesses need to meet the CCPA regulations. So before you start making changes, find out if your business must comply. If your business ticks any of the following boxes, you may have to comply with CCPA regulation:
- Your business has a gross annual revenue greater than $25 million.
- Your business has data on more than 50,000 consumers.
- Your business makes more than 50% of its annual income from selling consumer data.
If your business falls under any of the following factors, we advise that you contact a legal team for assistance.
2. Rework your privacy policy
An essential requirement for CCPA compliance is that your business’s online privacy policy is up to date. As the CCPA gets revised and reviewed, additional updates are needed. Your business’s privacy policy should include the following:
- What type of personal customer information is being collected
- Why your business is collecting this information
- How your business is managing and processing personal customer information
- How customers can access, change or delete their personal information
- How customers are notified about the sale of customers’ data
- How customers can opt-out of a business selling their data
3. Inform your customers
The CCPA requirements go beyond just updating your privacy policy to include customer protection details. It would be best to give your customers the option to opt out of having their information sold by your business. Your business must have the proper mechanisms in place when collecting and sharing customers’ personal information. You can do this through your business website with notices indicating data is being collected. Additionally, the notices need to give customers a way opt out of information reselling.
According to the CCPA, your customers also need to access their data, and your business needs to implement ways to do so. To do this, the following documentation and procedures need to be put in place:
- Verification process
- Documentation of internal systems to be followed
- Customer communication templates
- Tracking of requests to access personal data
- Opt-in content for the personal information of minors whose data is sold
Additionally, you also have to have procedures in place for customers who want to delete their personal information. They can include the following:
- Create systems to deal with requests to delete personal information
- Respond to deletion requests in a timely and effective manner
- Identify what data your business may need and how long you’ll need it for
4. Hire a dedicated person to work solely on data protection
Because CCPA is layered law, it needs a dedicated person who focuses solely on data protection on an ongoing basis. As a whole, the CCPA requirements will involve many departments in your business and needs someone to manage, navigate and implement the correct processes. Even though hiring a dedicated person is not compulsory by law, it can significantly benefit a business. The process of data protection and management is a massive undertaking and could include tasks like the following:
- Auditing, revising, and revising data policies
- Designing, implementing, and managing a data collection program
- Monitoring CCPA requirements
As mentioned above, CCPA will impact many departments in your business. It is therefore essential that the appropriate training is available to employees. The training should include:
- What the CCPA is and why it is critical to the business
- Understanding customer privacy and security
- Introduction to new systems, templates, and scripts for employees to use when communicating with customers
What Happens To Businesses That Do Not Comply?
Businesses that do not comply with the CCPA can expect to be fined up to $7500. Fines are allocated in the following way:
- Individual customers can sue a business for up to $750 for being careless with their personal data or if the business is hacked.
- International violations will be fined up to $7500. California’s Attorney General is required to enforce this fine when needed.
Overall, CCPA is intended to protect the privacy rights of consumers who are residents of California. The state pioneered by adopting this type of law but has become a model for other states around the country.
California has become a model for other states around the nation who want to implement similar laws. Businesses all over the country have developed new strategies, policies, and procedures to ensure customers and their private data are protected.