California businesses that collect personal information on California residents are experiencing a calm before the CCPA regulatory storm. This is a brief period of tranquility, foreshadowed by hefty fines, brand erosion and potential loss of business, due to non-compliance with the California Consumer Privacy Act (CCPA).
On Jan. 1, CCPA introduced new rights for California citizens. This new law affects the way companies handle the data they collect and the privacy of their users. The legislation is currently only applicable to consumers in the state of California. However, it will likely have an impact across the country as other states including New York, Nevada, Illinois, Massachusetts and Washington are all working to introduce their own consumer privacy bills.
Don’t Get Caught Unprepared
CCPA is here. Do you know what it is? Are you prepared? More importantly, do you know what the risk is to your business? Companies have 45 days to respond to consumer requests for their data. They have 30 days to comply when they receive notification of non-compliance. If there is no resolution, they can be fined up to $7,500 for each user record. While this may not seem overwhelming, don’t be surprised to see class action lawsuits on behalf of citizens, with potentially tens of millions of records and huge fines levied against companies found in non-compliance.
CCPA regulations apply to companies that do business in California with annual gross revenues exceeding $25 million. CCPA applies to businesses that buy, receive, sell or share for commercial purposes the personal information of 50,000 or more consumers or derive 50% or more of their annual revenue from selling personal information.
Businesses must allow consumers to opt-out of having their personal information used by companies or shared with third-parties. This means companies must separate data they collect according to the users’ privacy choices. And just because you’ve already prepared for GDPR doesn’t mean you’re in compliance with CCPA. CCPA compliance brings its own unique operational challenges that are different with regard to collection limitations and rules regarding accountability.
CCPA gives California residents new rights with respect to how their personal information is collected, including the right to delete information, refuse the sale of their personal information and to know what personal information the business collects.
This creates new operational challenges for businesses, with diverse and disparate applications, forms, devices and storage systems that collect and store personal user information. Administrators need a central location to access the data, provide the data to their users and explain how their data is being used.
Identity governance should be central to your CCPA strategy for securing user data by mitigating the risk of data breaches and properly processing and storing personal user information for regulatory issues. Along with planning and defining strategic goals, identity and access management (IAM) solutions can bridge the gap between your need to capture and store user data and your ability to comply with regulations such as CCPA and others. The collection, management and responding to user requests for their personal information can all be simplified through an IAM system. However, this is only true if the IAM solution can integrate diverse systems and applications and has privacy as part of its foundation.
Steps you can take to ensure your company is CCPA-compliant:
- Educate employees on the importance of CCPA and its ramifications.
- Document personal data you collect and store, including source, location and where it’s shared.
- Review privacy notices, form a plan to change, add or delete data to be in compliance.
- Review and update procedures on how to respond to user requests for personal information.
- Understand your legal basis for handling personal data.
- Conduct a data protection design and impact assessment.
- Define procedures to detect, report and investigate personal data breaches.
- Identify individuals who will be responsible for data protection compliance.
Creating a plan that addresses all aspects of CCPA is critical. This will help you know where your vulnerabilities are and how to adjust. Identifying your initial needs assessment all the way through CCPA response requires planning, design and implementation.
A data assessment will identify and remediate data throughout the organization. Conducting a proper assessment of IT environments, processes, workflows and employee awareness will help to ensure your business complies with CCPA regulations. Data remediation is fundamental to aligning identity with privacy. The key here is to mitigate risk by not storing non-compliant data while having the ability to inform users of what you have and appropriately respond if they request their data.