On January 1, 2020, the California Consumer Privacy Act (CCPA) became operational, however, enforcement of privacy-related suits cannot be initiated until July 1. The regulation, similar to the EU’s General Data Protection Regulation (GDPR), seeks to offer people greater control over the sharing of their personal information by businesses. For example, consumers can request to see how companies use their data and even opt-out of having their data sold.
Due to the suddenly strained resources many businesses are experiencing related to the COVID-19 pandemic, a coalition of more than 60 companies wrote a letter to California Attorney General Xavier Bacerra asking for an extension of the July 1 enforcement date. That request was denied, leaving many organizations scrambling to have the appropriate tools and processes in place to maintain compliance.
As a result, some may still be attempting to determine whether they are covered by the law and what they should do to remain compliant. Here are some things companies should consider.
Determining CCPA Coverage
According to the regulation, the first step to determining CCPA coverage is assessing whether any of the following applies to your business:
- Annual revenue exceeds $25 million.
- A business that engages in the buying, receiving or selling of personal information of 50,000 or more consumers, households or devices.
- A business that derives more than 50% of its annual revenue from the selling of consumers’ personal information.
Assuming at least one of those criteria applies, an organization is considered a covered business if all of the following apply to your business:
- You are a sole proprietorship, partnership, limited liability company, corporation, association or other legal entity that is organized or operated for the profit or financial benefit of your shareholders or other owners.
- You collect consumers’ personal information, or someone collects it on your behalf.
- You alone, or jointly with others, determine the purposes and means of processing consumers’ personal information.
- You do business in California.
While not specifically addressed by the CCPA, a business that operates in another state but has online customers or employees in California could also be covered.
Additionally, an organization that doesn’t collect data itself but uses a third-party vendor to do so would also be subject to CCPA regulations, along with the vendor. The California Office of the Attorney General’s website is a good source for more details.
As mentioned, privacy-related suits cannot be filed until July 1, however, that is not the case for suits related to data breaches, which became subject to enforcement upon the commencement of CCPA’s operational status at the start of the new year. As a result, it is critical to immediately implement the appropriate protocols if you haven’t already.
As you’re preparing to address CCPA compliance, it’s important to know that if you violate a consumer’s privacy, you may be able to “cure” the violation within 30 days of being informed and be absolved of being subject to penalties. If you experience a breach, the law allows covered businesses 30 days to address violations related to reasonable security practices without penalty.
For that reason, your business should first:
- Implement strong security policies and procedures: Set strong passwords throughout the organization. Enable two-factor authentication, and regularly patch your software.
- Conduct thorough incident response planning and training: Come up with a robust plan to address incidents when they happen.
- Institute access control measures: This mitigates insider threat and privileged access risk.
- Protect data at the record level: Secure what is most important (the data), as opposed to protecting your perimeter.
While these four practices should be at the top of your priority list, your preparation shouldn’t stop there. From a data protection standpoint, it is crucial to also:
- Identify where all collected consumer data resides.
- Adhere to strict data retention schedules and eliminate any data once it is no longer necessary to store.
- Review all business partners that collect data on your behalf and ensure that they are CCPA compliant.
- Consistently review and update data collection and retention policies to comply with changing laws and regulations.
At a higher level, it is critically important to have someone within the organization monitor the CCPA’s status for changes.
With consumer privacy regulations becoming the new normal, covered businesses will be more prepared as additional states enact similar regulations. This will be especially true if a federal privacy mandate becomes the law of the land. While the learning curve to protect data at more stringent levels can be steep, long-term benefits that extend beyond compliance—such as reputation management, increased consumer trust and greater efficiency—are well worth whatever initial discomfort you may experience.
A version of this article originally appeared in Forbes.