How to Achieve Compliance with CCPA
The journey to compliance with recent privacy acts proves to be one of increasing complexity.
Earlier in 2019, the EU’s General Data Protection Regulation (GDPR) made it necessary for businesses to protect the data collected on EU citizens. Going into effect on January 1, 2020, is the California Consumer Privacy Act (CCPA) that will likely have more repercussions on U.S. businesses than GDPR.
Here’s what we’re covering:
- What is the CCPA?
- Who does the CCPA affect?
- How do I become compliant with the CCPA?
What is the CCPA?
The CCPA — or, AB 375 — grants California residents unprecedented rights to data privacy. AB 375 takes an even broader view of what constitutes private data than GDPR.
“Less than 40% of companies are truly GDPR compliant.”
DON LITZENBERG, VP of Sales at 2B Advice
The CCPA allows any California resident to demand to see all the information a business has collected on them. Additionally, consumers are able to request a full list of third parties with whom their information has been shared.
Additionally, the CCPA allows California consumers to sue companies if privacy regulations have been violated — even if there hasn’t been a breach of information.
The big issue the CCPA is addressing is the fact that most consumers don’t realize what of their personal information is being shared and sold to other parties. AB 375 ensures that California consumers have the chance to opt-out of having their information used in ways they disapprove.
The opt-out structure of the CCPA allows California consumers rights to the following:
- Knowledge of whether or not their personal information is being collected. This requires companies to disclose any collection of the consumer’s personal data and the purpose of its collection.
- The right to request specific categories of data the company collects upon verifiable request. This gives consumers the right to know the specific information that a business has collected on them, the sources of that information, the reasons for collecting and/or selling the data, and the third parties the company in question has shared the personal info with.
- The right to deny the sale of personal information. This prohibits a business from selling the personal information of the consumer.
- The right to delete their information. This gives California consumers to officially request that a company deletes the data it has collected on them.
Any violation of these rights can result in fines and/or class action lawsuits.
Who does the CCPA affect?
The CCPA affects any for-profit legal entity that collects and sells private consumer information. Data that are considered private include:
- Identifiers such as real name, alias, postal address, email address, SSN, driver’s license number, passport number.
- Commercial info such as records of personal property and products/services purchased or otherwise obtained.
- Internet activity such as browsing history, search history, and information regarding a consumer’s activity on an app.
- Geolocation data.
- Professional/employment information.
See the entire list of information protected under CCPA here:
(A) Identifiers such as a real name, alias, postal address, unique personal identifier, online identifier Internet Protocol address, email address, account name, social security number, driver’s license number, passport number or other similar identifiers.
(B) Any categories of personal information described in subdivision (e) of Section 1798.80.
(C) Characteristics of protected classifications under California or federal law.
(D) Commercial information, including records of personal property, products or services purchased, obtained or considered or other purchasing or consuming histories or tendencies.
(E) Biometric information.
(F) Internet or other electronic network activity information including, but not limited to, browsing history, search history, and information regarding a consumer’s interaction with an Internet Web site, application or advertisement.
(G) Geolocation data.
(H) Audio, electronic, visual thermal, olfactory, or similar information.
(I) Professional or employment-related information
(J) Education information, defined as information that is not publicly available personally identifiable information as defined in the Family Education Rights and Privacy Act (20 U.S.C section 1232g, 34 C.F.R. Part 99).
(K) Inferences drawn from any of the information identified in this subdivision to create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, preferences, predispositions, behavior, attitudes, intelligence, abilities and aptitudes.
Companies required to answer to AB 375 have to fall under one of the following:
- Generates $25 million or more in revenue
- Possesses the personal data of over 50,000 “consumers, households, or devices”
- Earns more than half of its annual revenue via selling personal consumer data (any of the information listed above)
Businesses affected by the CCPA do not have to be based in California. They don’t even have to be based in the United States. As long as a company meets one of the above conditions and serves California residents, it needs to comply with the new law.
There are, however, some exemptions to the rule, including:
- HIPAA-compliant health providers and insurers
- Banks and financial institutions that are covered under Gramm-Leach-Bliley
- Credit reporting institutions that are covered under the Fair Credit Reporting Act
“The Private Right to Action could be monumental in what it means to businesses that want to do business with Californians.”
DON LITZENBERG, VP of Sales at 2B Advice
Don points out that even if there isn’t any action taken right away by California’s attorney general, it’s still a requirement that companies be compliant by the first of January. Yet, there is a 30-day grace period from the time a consumer supplies a company with a written notice that they believe their privacy rights have been violated.
Nonetheless, any company that does not comply by January 1, 2020, will be eligible for reprimands (fines up to $7500 per record and potential lawsuits).
How do I become compliant with the CCPA?
Companies that are already completely GDPR compliant shouldn’t have too much more work to do to become CCPA compliant. Even so, achieving CCPA compliance can be a hefty task to take on internally.
Don shares four steps for becoming compliant with the CCPA.
- Map out your data. Having a clear understanding of where all your customers’ data is kept is crucial to achieving compliance. Create a map of all the consumer data you collect and where it’s located.
- Determine the criticality of the data. Do you have a legal right to the data you’ve collected?
- Understand the tech you have in place to protect consumer data. The CCPA requires companies to have adequate security measures in place.
- Perform audits. Look through all data inventories, business processes, and data strategies to ensure all privacy notices and policies are up-to-date.
Privacy statements — that are typically written by lawyers — should be updated on all of your business’ digital assets (website, app, social media, etc.). Other requirements that Don brings our attention to include:
- Companies are expected to have an opt-out button on their websites
- Companies need to offer an 800 number for customers to inquire about privacy violations
- Businesses must acknowledge requests for the deletion of data within 10 days of the request
Successfully achieving CCPA compliance — or any data privacy compliance for that matter — can be overwhelming for companies to take on alone. It’s often useful to hire a third party like Don and his team at 2B Advice to ensure that all legal requirements are met. Because, if they’re not, the subsequent fines and/or lawsuits can have major damage on a business’ wallet and reputation.
“There is not enough skill out there today to be able to handle compliance properly within an organization.”
DON LITZENBERG, VP of Sales at 2B Advice
If you don’t use iTunes, you can find all our episodes here.