CCPA Compliance: Are Your Data Security Protocols CCPA-Ready?
By Ameesh Divatia, CEO and co-founder | May 1, 2020
On January 1, 2020, the California Consumer Privacy Act (CCPA) became operational, however, enforcement of privacy-related suits cannot be initiated until July 1. The regulation, similar to the GDPR (the European Union’s General Data Protection Regulation), seeks to offer people greater control over the sharing of their personal data by businesses. For example, consumers can request to see how companies use their data and even opt-out of having their data sold.
Due to the suddenly strained resources many businesses are experiencing related to the COVID-19 pandemic, a coalition of more than 60 companies wrote a letter to California Attorney General Xavier Bacerra asking for an extension of the July 1 enforcement date. That request was denied, leaving many organizations scrambling to have the appropriate tools and processes in place to remain CCPA compliant.
As a result, some may still be attempting to determine whether they are covered by the CCPA requirements and what they should do to remain compliant and help protect consumer rights. Here are some things companies should consider.
Determining CCPA Coverage
According to the regulation, the first step to determining CCPA coverage is assessing whether any of the following applies to your business:
- Annual revenue exceeds $25 million.
- A business that engages in the buying, receiving or selling of personal information of 50,000 or more consumers, households or devices.
- • A business that derives more than 50% of its annual revenue from the selling of consumers’ personal information.
Assuming at least one of those data processing criteria applies, an organization is considered a covered business if all of the following apply to your business:
- You are a sole proprietorship, partnership, limited liability company, corporation, association or other legal entity that is organized or operated for the profit or financial benefit of your shareholders or other owners.
- You collect consumers’ personal information, or someone collects it on your behalf.
- You alone, or jointly with others, determine the purposes and means of processing consumers’ personal information.
- You do business in California.
While not specifically addressed by the CCPA, a business that operates in another state but has online customers or employees that are California residents could also be covered.
Additionally, an organization that doesn’t opt-in for data collection itself but uses a third-party vendor to do so would also be subject to CCPA regulations, along with the vendor. The California Office of the Attorney General’s website is a good source for more details on CCPA and many other privacy laws.
Preparing for CCPA & GDPR Compliance
As mentioned, privacy-related suits cannot be filed until July 1, however, that is not the case for suits related to data breaches, which became subject to enforcement upon the commencement of CCPA’s operational status at the start of the new year. As a result, it is critical to immediately implement the appropriate protocols if you haven’t already in order to protect from being be penalized for non-compliance.
As you’re preparing to address CCPA compliance, it’s important to know that if you violate consumer’s data privacy, you may be able to “cure” the violation within 30 days of being informed and be absolved of being subject to penalties. If you experience a breach, the law allows covered businesses 30 days to address violations related to reasonable security practices without penalty.
For that reason, your business should first:
- Implement strong data security policies and procedures: Set strong passwords throughout the organization. Enable two-factor authentication, and regularly patch your software.
- Conduct thorough incident response planning and training: Come up with a robust plan to address incidents when they happen.
- Institute access control measures: This mitigates insider threat and privileged access risk.
- Protect data at the record level: Secure what is most important (the data), as opposed to protecting your perimeter.
While these four practices should be at the top of your priority list, your preparation shouldn’t stop there. From a data protection standpoint, it is crucial to also:
- Identify where all collected consumer data resides.
- Adhere to strict data retention schedules and set up routine erasure of all categories of personal information once it is no longer necessary to store.
- Review all business partners that collect data on your behalf and ensure that they are CCPA compliant.
- Consistently review and update data collection and retention policies to comply with changing laws and regulations.
At a higher level, it is critically important to have someone within the organization monitor the CCPA’s status for changes.
With consumer privacy regulations and data privacy laws becoming the new normal, covered businesses will be more prepared as additional states enact similar regulations. This will be especially true if a federal privacy mandate becomes the law of the land. While the learning curve to protect data at more stringent levels can be steep, long-term benefits that extend beyond compliance—such as reputation management, increased consumer trust and greater efficiency—are well worth whatever initial discomfort you may experience.
Learn more about the California Consumer Privacy Act and about CCPA vs GDPR with help from Baffle today.
A version of this article originally appeared in Forbes.