The California Consumer Privacy Act (CCPA) went into effect on January 1st 2020 but there are stages to its enforcement and we are about to hit another milestone. July 1st 2020 is when the CCPA enforcement phase begins which means that the Attorney General of California will be able to take action against companies who violate the state’s regulation. With the thought of significant fines for non-compliance, not to mention the damage to your organization’s reputation, it's time to make sure your company complies with the CCPA.
When the CCPA was first announced in October 2019, the proposed regulation included the following key requirements:
- - Businesses must disclose data collection and sharing practices to consumers;
- - Consumers have a right to request that their data be deleted;
- - Consumers have a right to opt out of the sale or sharing of their personal information; and
- - Businesses are prohibited from selling personal information of consumers under the age of 16 without explicit consent.
If your company handles any PII (personally identifiable information) you probably already have a data security program or compliance program in place. Using a tool, like MyVCM, can help you compare the documentation you already have to the requirements of other standards. For example, compliance with GDPR can be compared to compliance with CCPA. MyVCM CrossWalk Assessments will show you where the gaps lie in these standards and help you develop documentation and evidence to complete your compliance.
If you don’t have a data security program in place, here are six steps to take now to get your organization moving forward in the right direction:
- Do a risk assessment. A risk assessment is a great first step and will clearly show you what information you hold that is covered and if you are protecting it as required under the CCPA. Knowing your data protection policy will help.
- Make a plan. You may not reach compliance in a day but you can make a plan and make a start. The California AG is more likely to look favorably on your organization if you can show that you are taking steps to comply with the CCPA. Consider the type of customer information your organization needs to maintain and make a plan to protect it.
- Secure a budget. An effective program cannot be built without resources. Understand the cost and fund it. Know that a breach of CCPA carries significant financial costs. The National Law Review explains that a consumer need not show actual damages to bring a statutory action—they only need to show that their personal, non-redacted and non-encrypted personal information was subject to a qualifying data breach. Investing in a tool now to help your organization manage risk can save you money in the long run.
- Get help. Like anything, knowing what you are doing can make the journey faster and simpler. Bringing in experts can reduce your overall costs. Invest in a tool to help you. It will help you track activities and make it easier to show proof. Seek out a tool that allows you to track compliance to multiple standards.
- Make a start. Consider Consent Management and Subject Rights Management. Find a way to track and manage this data. Make sure you have explicit consent from customers to store and use their information.
- Involve everyone. Building a security program is not a one or two person job. Make sure everyone from the CEO to the most junior team members understand and participate in the security of your business. Find a tool that can train your organization, especially those who have access to PII. Ensure that only the people who need access to PII for their job have the required access. Remember that with the increase in employees working virtually due to COVID-19, your organization has to understand the security risks involved with so many employees accessing information from remote locations.
One more crucial point, avoid avoidance. It won’t work to simply block IP addresses from California residents. If a California resident is outside of the state and accesses your website they are still protected. In an interview with Reuters, the California AG gave a clear warning about their approach to enforcement stating that, “We will look kindly, given that we are an agency with limited resources, and we will look kindly on those that ... demonstrate an effort to comply,” California Attorney General Xavier Becerra told Reuters. “If they are not (operating properly) ... I will descend on them and make an example of them, to show that if you don’t do it the right way, this is what is going to happen to you.”
It is also important to note that California is not done with just CCPA. On the ballot in November 2020 will be the CPRA (California Privacy Rights Act) which suggests imposing greater restrictions on companies holding consumer information. The advocacy group Californians for Consumer Privacy is leading the CPRA initiative. According to the National Law Review “While the CPRA, if passed, would not go into effect until January 1, 2023, businesses will want to keep a close watch on developments in order to have as much time as possible to prepare if the measure is approved.”
Compliance is a journey that all businesses need to take. It will not stop with CCPA, other states have already introduced, or are in the process of introducing, their own consumer privacy regulations. Regulations adapt and change over time as technology changes and businesses need to use a tool that helps them on their compliance journey. If you have questions about compliance to the CCPA or other regulations, speak to an expert at Ostendio who will be happy to offer guidance and explain how the MyVCM integrated risk management platform can help your business. Ostendio customers have been using the platform for over 7 years to build, operate and showcase their compliance to over 100 standards and regulations globally.