Key Questions to Ask When Preparing for CCPA Compliance

    Last year, the European GDPR was “all over the place.” This year, it is the California Consumer Privacy Act (CCPA) hogging the limelight. It’s no secret that data privacy is a hot topic and that it will continue to be so in the coming weeks. Although the CCPA will go into effect on January 2020, becoming compliant with it will not be a brief task. If you’ve thought you’ll be fine with last-minute preparation work, know now that won’t work.

    CCPA is quite similar to its European counterpart (regarding definitions of certain jargon, protections offered to individuals who are under 16 years old and the consumer’s right to access personal data). There are substantial differences. One of the GDPR’s fundamental principle talks about the need to have a “legal basis” for personal data processing—that is missing in the CCPA. In other words, despite being GDPR inspired, CCPA has been structured following a US context.

    The good news is that if your business has already worked on the GDPR compliance, you’ve won half the battle in terms of your company awareness. Still, you have to undertake the effort all over again because being GDPR compliance doesn’t mean being CCPA compliant, and you’ll need to handle instances for the CCPA explicitly.

    So, if you’re just starting with your CCPA readiness plan for your organization, here are few of the most important questions to ask:

    Does the CCPA apply to my organization?

    It applies to any organization doing business in California that gathers and processes the personal data of Californians. The act does not make it mandatory for businesses to have a physical presence in the Golden State but will apply when at least one of these conditions:

    • The enterprise records annual gross revenue of $25 million or more;
    • The enterprise collects, sells or shares personal data of 50,000 or more California residents, households or devices;
    • The organization generates at least 50% of annual revenue by selling the personal data of the Californian residents

    What are the exceptions to the CCPA?

    California’s privacy regulation does not restrict businesses in doing the following:

    • Following federal, state, or local regulations;
    • Gathering, leveraging, maintaining or sharing customer’s data that has either been de-identified or in the aggregate individual information;
    • Collecting or even selling customer’s personal data as long as the commercial conduct does not take place in California.

    CCPA is intended to support federal and state laws; it will not apply if it conflicts with the US Constitution, federal law, or California law.

    The CCPA is not applicable to the following:

    • The medical information governed by the California Confidentiality of Medical Information Act (CMIA) or the health information of a covered entity under HIPAA has been exempted from the CCPA.
    • The personal data gathered, processed, sold or shared pursuant to the federal Gramm-Leach-Bliley Act.

    Will I be penalized for not complying with the CCPA?

    Similar to the GDPR, the penalty cost for non-compliance is huge. Apart from losing the customer trust, the non-complying business will face penalties of $750 per consumer per incident (which also means $750,000 for an incident involving 1,000 consumers) or actual damages, whichever is greater.

    Also, if your business fails to meet certain data security needs, the affected customers can ask you to fix it within 30 days or face legal action.

    Do I have time left to become CCPA compliant?

    Although the California privacy regulation won’t come into force before January 1, 2020, businesses should be aware that customers will be able to request personal information for the past 12 months, so the data you currently hold or have utilized since January 1, 2019, should be made compliant.

    According to a survey by privacy compliance company TrustArc, 44% of companies impacted by the CCPA haven’t yet taken any steps to become compliant. Market experts predict that the compliance route will grow even more onerous for businesses if they don’t get focused on becoming CCPA ready.

    How can I become CCPA ready?

    Approaching CCPA compliance in the right way is germane to be successful. Be sure to base your data privacy readiness plan on the findings from these questions:

    How does your organization process the customer’s personal data?

    • When and how you gather it;
    • What location, for how long a time period, and what systems you use for storing the customer data;
    • With whom you share the customer’s data.

    How to comply with the CCPA?

    Review and find out if your systems follow and are in compliance with the rules as stated in the CCPA for data deletion, access, portability, and even opting out.

    Ensure that you conduct this review across the organization, including teams like customer support and HR.

    To support your compliance efforts, you should:

    • Set up a dedicated toll-free support number, email address, or a specific resource to handle customer issues hassle-free;
    • Create processes to manage the opt-out requests;
    • Keep a strict vigil of online privacy policies;
    • Be sure your client-facing team is well-acquainted with the CCPA’s data privacy practices.
    • What should I do if my customers are located outside California?

      It’s your call if you decide to apply CCPA with and for customers who are not located in California or establish and operate a different set of privacy policies to manage non-Californian personal data.

      While deciding which path to choose, determine the following:

      • Are you able to easily differentiate between the data of Californian residents and those located in another region?
      • Would your relations with non-Californian customers be affected if you inform them the CCPA does not cover them?
      • In case you plan to offer CCPA rights to all your customers irrespective of their location, is your business capable of handling it?

      Best Practices for CCPA Compliance

      • Recognize the risks in data procedures and craft new risk management policies accordingly;
      • Revise your communication methods and privacy policy. Also, ensure that your customers are aware of the data collection policy followed by your enterprise;
      • Only record and save those elements of customer data that impact the direct service of your organization.
      • Put a data tracking system in place as early as possible because customers may request data collected in the prior 12 months starting January 1, 2020.

      Conclusion

      Data privacy is a big concern for Americans and, as found in the latest Harris Poll data, comparable to concerns on other issues like job creation, healthcare. The CCPA is expected to usher in significant changes in the way businesses handled consumer personal data. Businesses shouldn’t just rely on the GDPR to understand how the data privacy scenario will pan out in California. Instead, they should aim to create a comprehensive data inventory so all personal data assets meet CCPA requirements.

Solution Brief: Privacy and Security, Together for Greater Trust