Californians will ring in the new year with new regulations. If you don’t want the California Consumer Privacy Act (CCPA) to spoil your holiday parties and end-of-year celebrations, now is the time to prepare. We’ve put together this quick guide to get you up to speed on what you need to do to comply with the law.
Do I Need to Pay Attention?
Are you a for-profit business operating in California and collecting consumers’ personal information? You need to follow CCPA regulations if you:
- Have annual gross revenue exceeding $25 million or
- Purchase, sell or share data from more than 50,000 consumers, households or devices or
- Derive 50% or more of your annual revenue from selling consumers’ private information
DiamondIT advice: Even if you don’t meet all the above criteria, it’s still a good idea to review your policies, tighten security and know how you’ll process data requests. CCPA will not be the final word on this matter. Cybercriminals are attacking a wide range of targets – from cities to corporations – and you should expect more regulations regarding data you hold in the coming years.
What Impact will CCPA Have on My Business?
Like General Data Protection Regulation (GDPR), CCPA forces businesses to rethink how they handle, process, store and secure data. Starting January 1, 2020, consumers gain new controls over their information. You’ll need to tell them what categories of data you collect about them, either before or when collected and provide updates about your process as necessary.
People can ask what data you’ve collected about them and you’re obligated to provide this, free of charge, up to 2 times each year. If you have consumers under the age of 16, they must opt-in before you can sell their data. Anyone older than 16 can forbid the sale of their information or force you to delete it. Additionally, individuals will have the right to know:
- Categories of third parties with whom their data is shared
- Categories of sources of information from whom their data was acquired
- Business or commercial purposes of collecting their information
What Happens to Businesses that Aren’t CCPA Compliant?
Failure to comply will result in penalties, and the fine is higher if you’re viewed as having intentionally violated CCPA. The maximum fine for an unintentional violation is $2,500; for an intentional violation it’s $7,500.
Fines aren’t your only concern
CCPA makes it easier for consumers to file class-action lawsuits against companies that don’t have “reasonable” security measures in place. Consumers will be legally entitled to recover between $100 and $750, or the actual damages, whichever is greater. Civil litigation could be more harmful than the fines, causing financial and reputational damages to your organization.
5 Steps to Prepare Your Business for CCPA
1. Don’t assume meeting GDPR covers every requirement
There is significant overlap between the two sets of requirements, however, they’re not identical. For instance, differences exist regarding the definition of “personal information,” and CCPA extends this to data connected to households and devices.
2. Work with an expert to understand your obligations
Many phrases can be open to interpretation in the courts, like “doing business in California.” Depending on how it’s construed, this could encompass businesses based in other states or countries that have clients in California. Similar nuances could occur as words like “violation” and “reasonable” are evaluated by the courts. Seek out experts who can explain your legal and technical requirements.
3. Get an IT assessment
Similar to how a punch list defines what needs to be fixed before a project is finished, an IT assessment defines the pieces of your infrastructure you need to improve before your organization is secure and compliant. It clearly defines your roadmap and gathers evidence that you’re actively working to avoid data breaches – potentially saving you from intentional fines or lawsuits under CCPA.
4. Prepare your documents
Your document trail doesn’t end with the IT assessment. You also need to create documentation around security policies you’ve implemented and measures you’re taking to improve security and meet regulations. If you need to comply with other regulations, like HIPAA or PCI, you’ll want to follow a similar framework for documenting CCPA compliance.
5. Consult your IT expert
To avoid lawsuits and fines you need proper security measures in place and documentation that you’re proactively protecting data. Additionally, you need the infrastructure to quickly validate consumer data requests, access a comprehensive set of data on a person, and securely share the information and manage it based on a consumer’s wishes.
DiamondIT advice: The assessment and audit trail can help protect your business from the “intentional fines” mentioned above.
Is Your Network Security Ready for CCPA?
You don’t want to guess or assume you’re prepared. Contact DiamondIT for a network assessment today.