We hear about personal data breaches and cybersecurity attacks daily in the news. The California Consumer Privacy Act (CCPA) is one state’s answer to the outcry for individual data protection. Yes, it’s a just state law, but California has the world’s 5th largest economy and that means if the CCPA becomes law on January 1, 2020 as currently written, your business is very likely to feel its wide-ranging effects.
Like the General Data Protection Regulation (GDPR), which covers any EU resident no matter where they may be, the CCPA isn’t limited to companies based in California. It’s tied to people. So it’s not where you are but where you’re from that protects you under the statute, i.e. a Californian. So, from a business perspective, the CCPA’s focus on consumer ability to opt-in, opt-out, access and demand deletion of their personal information sounds a lot like GDPR.
Despite what you may have heard about the “HIPAA exemption,” healthcare organizations won’t necessarily be exempt. The CCPA’s expanded definition says Personal Information (PI) “identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly with a particular consumer or household.” How many healthcare organizations can say that doesn’t apply to any of their data?
So you know you need to do something but what should your business do to prepare?
6 Steps for the CCPA Compliance Deep Dive
- Take a breath. This is a journey but it starts with simple steps. Don’t let the size of the task stop you from starting it.
- Do a risk assessment. You can’t know what you need to know until you know where to start.
- Make a plan. Understand your final objective and when you need to get there. Break your plan into quarterly increments to make it more manageable. (Rome wasn’t built in a day and your security program won’t be either!)
- Secure a budget. An effective program cannot be built without resources. Understand the true cost and fund it. A good baseline will be 5% or your operating expenditure.
- Get help. Like anything, knowing what you are doing can make the journey faster and simpler. Bringing in experts can reduce your overall costs. Invest in a tool to help you. It will help you track activities and make it easier to show proof.
- Involve everyone. Building a security program is not a one or two person job. Make sure everyone from the CEO to the most junior team members understand and participate in the security of your business.
One more crucial point, avoid avoidance. It won’t work to simply block IP addresses from California residents. If a California resident visiting the Great Lakes accesses your company website – CCPA protects their rights.
Cover your bases in the meantime. Be able to show that you are working toward CCPA compliance. Document how not only you, but also your business affiliates, third party vendors, and the associated contracts are in compliance.
The cost of non-compliance with the CCPA
If you don’t comply, the California Attorney General can bring suit against your business. CCPA non-compliance cost is nothing to sneeze at: $2,500 per violation and $7,500 if the violation is determined to be intentional.
That’s cost per violation, per consumer. Now think of how many identifiers could apply to online activity, like cookies, where a person’s Internet Protocol (IP) address is collected. Suddenly those numbers multiply into heart stopping amounts.
We can’t underestimate the impact the CCPA will have on any organization’s privacy and security controls. There’s a wave coming, driven by consumer anxiety and legislative demand. What we can do is be ready to ride it. When you need help, contact Ostendio. Our integrated risk management platform can help you demonstrate what you are doing to comply with the CCPA and other standards. And if you already have documentation in place for GDPR, our new CrossWalk Assessment feature can save you time by comparing requirements for GDPR and CCPA so that you just need to fill in the missing documents. Call us to talk to an expert. We’re happy to help!