The California Consumer Privacy Act (CCPA) goes into effect on January 1, 2020. This landmark law has implications far beyond California and represents a significant shift in attitudes about data privacy regulation in the United States. Thus, taking a proactive approach to CCPA compliance will prepare your business to thrive in the evolving data compliance landscape.
What is the CCPA?
In 2018, California passed a sweeping data privacy act based on the European Union’s General Data Protection Regulation (GDPR). This Consumer Privacy Act requires compliance by all businesses that collect data related to California residents, have annual gross revenues of at least $25 million and collect personal information on 50,000 or more consumers.
In addition, the regulations affect third-party suppliers who provide goods and services to companies required to comply with CCPA. That means that even if you do not have an office in California or meet the revenue and size specifications, the law may still apply to your business.
The basics of the CCPA compliance mandate that businesses provide consumers the ability to:
- Request disclosure of all personal data collected regarding them and their households – This applies to data collected over the 12 months previous to the request. Businesses must be able to indicate how that data was shared and with whom.
- Opt out of the sale of their personal information – Keep in mind that the CCPA uses a broad definition of “sale” that includes many instances of information sharing that do not involve money.
- Request deletion of personal information
CCPA differs from the GDPR in a few key ways. On the one hand, it expands the definition of “personal information” to include items such as IP address and browsing history. It also specifically requires parental consent for the sale of children’s information. On the other hand, CCPA does not require impact assessments or the appointment of a data protection officer.
Steps to CCPA Compliance
Like most legislation, the CCPA can prove complex. However, several essential first steps can set you well on your way to CCPA compliance.
- Include a clearly marked “Do Not Sell My Personal Information” link on websites and apps.
- Audit your data. Know what kinds of personal information your business gathers or processes. Know where the data lives and who has access to it. This includes data reaching back to January 1, 2019.
- In addition to knowing where you store personal information, make sure that you can delete or anonymize an individual’s data upon request.
- Also audit the third-party vendors in your supply chain. The CCPA includes specific terms that must appear in contracts with vendors that process personal information for your business.
- Update your privacy policies each year.
- Build data privacy into your business processes and goals. Protecting customer data should become an integral part of how you do business.
Just the Beginning
The CCPA represents just one of several significant data privacy laws across the United States. For instance, Vermont passed a stringent law regulating data brokers. And Washington state passed its own law based on GDPR that expands regulations to include facial recognition technology.
More importantly, voices within the tech community and the government have increased calls for federal privacy regulation. In fact, this month a group of 51 tech companies, including Facebook and Google, called on Congress to craft a “comprehensive federal consumer data privacy law.”
Proactive Approach to Data Privacy
With GDPR and CCPA compliance already shaping the business environment, and the certainty of federal regulations in the near future, businesses cannot afford to take a lackadaisical approach to data privacy. Implementing data privacy practices now prepares your organization to respond with relative ease to both current and future regulations.
The consultants at Messaging Architects can help your organization develop an information governance program that includes compliance with data privacy laws. We will guide you through the maze of regulations, assessing your compliance status and assisting you with defining internal policies. With a proactive approach, you can protect both your business and your customers’ privacy.