The new year is here — and with it comes the strictest data privacy law to hit the U.S. to date: The California Consumer Privacy Act (CCPA). Every organization needs to pay attention – even if you don’t currently operate in California. Similar data privacy laws are currently pending in eight other states, including Illinois, Maryland, Massachusetts, Nevada, and New York. Here’s what you need to know to prepare for CCPA and minimize the risks and business impact of noncompliance.
What is the CCPA and will it affect me?
The goal of the CCPA is to give California residents more control over their personal data and penalize companies for exposing such information. The law covers for-profit businesses with annual gross revenue of more than $25M that sell or share information on 50,000 or more consumers or derive more than half of revenue from selling personal information.
The CCPA defines personal data as anything that identifies, relates to, describes, or is reasonably capable of being associated with a consumer. The new law gives California consumers the right to:
- Know what personal information is being collected.
- Know whether their personal information is sold or disclosed, and to whom.
- Say no to the sale of personal information and request deletion.
- Access their personal information.
- Equal service and price, even if they exercise their privacy rights.
The financial impact of noncompliance adds up quickly. Fines start with civil penalties up to $7,500 per violation, with no limit on the number of violations. Statutory damages related to breaches range from $100 to $750 per consumer per incident or actual damages, whichever is greater. Thankfully, there’s a grace period. Enforcement for CCPA does not begin until July 1, 2020.
Three steps to take now for CCPA compliance:
1. Create a central inventory of all data within scope of CCPA.
First things first – begin by creating an inventory of all the information the organization possesses that could be within the scope of CCPA. Note why it’s being collected and the consumer profiles, vendors, third parties, and service providers involved. And don’t wait till the last minute. This data is often decentralized across various hard drives, files, and spreadsheets. Leveraging technology can ease the burden and facilitate the data classification process.
2. Integrate CCPA into your existing risk and compliance program.
This is a very important step – a stand-alone approach to compliance might get initiatives off the ground, but the long-term value is limited, and you won’t have a clear view of the complete risk and compliance landscape. To integrate CCPA into your larger risk and compliance program, first ensure you have a strong governance and management structure in place. Then, create a framework to understand the upstream and downstream impacts of specific compliance requirements and responsibilities, and validate the CCPA requirements against this framework.
3. Leverage technology to streamline compliance.
The right technology is the best defense against unintentional CCPA violations – it makes the entire process easier, including gathering and controlling large volumes of information, measuring compliance across key performance indicators, and responding to requests. Technology can perform a readiness assessment on the maturity of your organization’s privacy procedures as they relate to CCPA. Technology also can help develop questionnaires for Data Privacy Impact Analysis (DPIA) so you can better understand how important certain processes are for compliance.
Technology makes it much easier to drive and enforce proper management and governance structures across the board. You can see which CCPA requirements overlap with HIPPA, GDPR, and more to simultaneously manage all compliance obligations.
CCPA is likely just the beginning of a long and steady rise in data privacy legislation. With the right tools, mindset, best practices, and processes in place, risk and compliance leaders can prepare for CCPA and build a strong foundation to prepare for this new regulatory wave.