Driven by the continued rise in consumer data breaches and growing privacy concerns, California passed the California Consumer Privacy Act (CCPA) in 2018. With nearly 40 million residents and some of the world's largest companies headquartered there, California is now the fifth largest economy in the world. This regulation isn’t one companies can ignore.
When the CCPA went into effect on January 1 (enforcement will begin on July 1), it provided California residents with more control over their personal information and how companies use it. Although achieving compliance with the CCPA should be easier for companies already aligned with the GDPR, the CCPA requires more than just simple cosmetic changes. Here are some key areas to focus on as you prepare for compliance with the CCPA.
Map Your Data and Its Sources
Determining where to start with CCPA compliance can be difficult, but in order to effectively comply with this regulation, organizations first need a comprehensive understanding of their data. This can be achieved through a data mapping exercise. Through data mapping, you can see how your company collects, processes, transmits, and stores data – as well as how it’s used and who uses it. A data mapping exercise uses different methods to collect information from key stakeholders (e.g., department heads, third-parties, IT, etc.) about where your critical data is coming from and how it is handled, so you can understand the complete lifecycle of your data. A properly executed data mapping project will help your organization answer the following questions:
- Where and how do we collect personal information?
- What type personal information do we collect and store?
- Where and how do we store personal information?
- How do we protect the personal information we collect and store?
- How do we prevent the inappropriate sale or distribution of this personal information?
Being able to answer these questions will allow your organization to establish effective procedures for ensuring your data is prepared for consumer requests around the rights to access, deletion, and portability. This is crucial as the CCPA requires companies to provide consumers with access to their data and data collection methods when requested. This regulation also contains a 12-month “look back” requirement, which requires that organizations provide consumers with access to their personal data records dating back a whole year from when the request was made. With only 45 days to answer these consumer requests, organizations that lack a defined, easy-to-use process for accessing this information will face significant fines.
Mapping your data flows inside and outside your organization when preparing for CCPA compliance can help refine data collection practices and identify opportunities to reduce the impact of compliance on business operations. While data mapping should be a regular exercise, an initial mapping provides a solid starting point for achieving compliance with the CCPA and other regulations.
Focus on Consumer-Facing Functions
The CCPA extends to organizations both inside and outside of California. Business functions that collect and leverage large amounts of consumers' personal data are greatly affected, like marketing, ecommerce, call centers, and sales departments. These areas rely on consumer information to power ad campaigns, enhance digital experiences, and grow the business. With California residents making up 12% of the U.S. population, the CCPA poses some challenges to these business areas since consumer information is crucial for their daily operations.
Companies must evaluate their practices for gathering personal information, especially when obtaining permission for collecting data, and see if they align with the CCPA. Key data points for multiple departments, like IP addresses, Internet usage, and browsing histories, are all considered personal information under the CCPA, and are subject to its requirements.
When it comes to complying with the CCPA, organizations need to work with key business functions like marketing and sales to establish processes that ensure the proper handling of consumer requests. It is important to: 1) deliver unique consent forms for each data-gathering instance, 2) have a thorough “right to be forgotten” process, 3) provide detailed permission settings on who can access a consumer’s personal information, and 4) only collect data that there is a clear and immediate use for. Establishing strong processes within the business functions that collect large volumes of consumer data is critical to CCPA compliance.
Review and Assess Existing Third-Party Relationships
Nearly every company relies on third parties to run their business, but some of the largest breaches in recent years have been caused by a lack of proper third-party vetting. This increased risk not only requires a robust third-party risk management program, but also increases the need for vendor cooperation in the event of a breach. To prepare for the CCPA, third parties’ security and privacy processes need to be evaluated, and contracts need to be reviewed to provide clarity on who is liable in the event of a breach.
In addition, since the CCPA allows consumers to request access to their data, companies that buy consumer data need to make sure it comes from a legitimate source. Since third-party data typically changes hands often, it can be hard to determine if the information was collected with consent. Under the CCPA, operating on stolen or breached data can result in significant fines. A comprehensive third-party management program will classify the risks associated with external parties and establish continuous monitoring of the third parties, leading to better risk visibility.
Review Your Privacy Policies and Disclosures
Privacy notices inform consumers on how their data is collected, how it is used, who it is shared with, and the choices they can make about their data. These must be provided to consumers when or before any information is collected, shared, or sold. Under the CCPA, businesses must have privacy policies and notices in place that meet these criteria. Then a series of privacy procedures need to be implemented to back up the statements made in the privacy notices, especially around individual rights. If a company sells consumer data, the CCPA calls for specific processes like including a prominent “Do Not Sell” or “Opt Out” button on a company’s website.
However, the term “sale” is quite broad within the CCPA. Under this law, there does not need to be an exchange of money for a sale to occur. A disclosure of personal information by any means shared for any benefit can be considered a sale. Therefore, even businesses that do not exchange personal information for money likely still need to include opt out buttons on their sites and ensure the proper privacy notices are put in place.
Processes and policies that need to be reviewed or implemented are:
- Privacy policies and notices
- Consent notices
- Deletion procedures
- Data breach/incident response plans
- Privacy impact assessments
Reviewing existing policies at your organization can help identify missing disclosures and commitments, uncover gaps in compliance, and identify operational challenges that may arise during compliance efforts.
Reduce the Risk of Litigation
Under the CCPA, the Attorney General is responsible for enforcing civil actions for non-compliant businesses. However, this regulation states that action will only be taken if an organization has failed to address an alleged violation within 30 days of being notified. If an infringement isn’t remedied, the Attorney General can seek a civil penalty of $2,500 for each non-intentional violation and $7,500 for each intentional violation.
The CCPA also creates a private right of action for California residents to sue businesses if their personal information is subject to “unauthorized access and exfiltration, theft, or disclosure.” While lawsuits can be sought by consumers who seek actual damages, they can also seek statutory damages of $100 to $750 per consumer per incident. For this type of lawsuit, consumers must provide businesses with a 30-day written notice of the alleged violations and cannot sue until that period expires. If the business addresses the violation with the 30-day period and provides the consumer with an express written statement that no further violations shall occur, the consumer will be barred from bringing action.
These class-action suits are expected to multiply since it arms every data breach victim with the right to pursue action. Companies that have suffered a breach will need to be prepared to receive a substantial amount of notices and be equipped with suitable strategies and processes for managing them. Even if a breach hasn’t occurred, companies will still need to examine the mechanisms in place and determine where a potential lawsuit could develop.
There are also ways to proactively prepare to limit the risk of litigation:
- Terms and Conditions: These should include an arbitration and class action waiver and require affirmative consent by consumers before they can provide any personal information.
- Third Parties and Vendors: They should be vetted to ensure that any security deficiencies are identified and remediated. Cybersecurity assessments can help determine if their procedures are effective.
- Breach Response Plans: These procedures should be implemented or modified to efficiently respond to consumers in a timely manner during the cure period. This can help reduce the possibility of widespread claims and lower the potential penalties, as seen in the situation by Knuddels in Germany.
Stay Current with Amendments and Federal Legislation
The CCPA has been in a constant state of revision since it was passed in 2018. Multiple bills have been introduced with the intention of clarifying some of the ambiguities found in the legislation, and more are expected to be introduced before its official implementation date. Organizations should remain current on the developments and potential amendments to the CCPA.
The CCPA will also not be the last data privacy regulation that businesses will have to address. Numerous U.S. state laws are pending, including New York’s Privacy Act, and many states have already passed new privacy bills, including Maine and Nevada. Staying current with the privacy developments across the world will help your organization prepare for the impact of these laws on business operations.
Although the CCPA went into effect in January, the Attorney General will not start enforcing the law until July 1, 2020. Nevertheless, taking action ahead of the deadline is critical. With the threat of civil lawsuits rising for breach violations, companies cannot afford to delay developing a strategy for achieving compliance. Compliance with the CCPA is an excellent opportunity for companies to start laying the groundwork for a more robust, well-designed privacy program. This law is becoming the new data protection standard in the U.S. and taking the time to understand and align with its requirements will help you streamline future compliance efforts.
Get more insights into the latest privacy news.
Subscribe to Focal Point's Privacy Pulse below - a once-a-month newsletter with guides, webinars, interesting white papers, and news all focused on data privacy. You can unsubscribe at any time.