January 2020 will bring changes to data privacy and security rules for businesses operating within, or interacting with residents of, the state of California.
The California Consumer Privacy Act is the first of its kind in the U.S. It represents a sweeping set of laws that affords its residents information on what personal information has been collected on them, with whom it has been shared, how to delete it, and how to prevent the sale of such data. Compliance with the California Consumer Privacy Act will force businesses to be more transparent with data collected on consumers while simultaneously allowing consumers to hold businesses accountable for their treatment of consumer information.
What is the California Consumer Privacy Act?
Although it’s called the California Consumer Privacy Act (CCPA), the regulations have wide-ranging impacts in the United States and beyond. Much like GDPR in the European Union impacted American companies and consumers, so too will the California Consumer Privacy Act.
To fall within the jurisdiction of the California Consumer Privacy Act, businesses must work in the state of California or collect personal information on residents of the state. Additionally, businesses must fall under one of the following criteria:
- Have at least $25 million in annual revenue
- Possess data on more than 50,000 consumers, households, or devices
- Earn more than 50% of business revenue from selling personal data
Those businesses not meeting the above-listed criteria will not be largely impacted by the CCPA, but those meeting even just one of those have a lot of work to do.
The California Consumer Privacy Act is broad in scope, substance, and enforcement, covering new forms of data like internet browsing history, metadata, and IP addresses. It also redefines what a sale of data “looks” like, stating that data does not have to be given in exchange for money, but expands the definition to include anything “valuable” to the holder of the data. Essentially, trading data for goods or services are covered under the California Consumer Privacy Act.
Companies looking to comply with the California Consumer Privacy Act will not find a wealth of information within the act itself. In fact, there is no roadmap to compliance given by the state, rather just some general ideas of what businesses will be required to do and timeframes around those actions.
What does my business need to do?
First: don’t panic.
The California Consumer Privacy Act goes into law on January 1, 2020, but you’ve got plenty of time to determine what compliance looks like for you. Six steps are recommended for immediate implementation in order to make compliance easier:
- Update Privacy Policies
- Update your privacy policies and notices to account for the necessary additions of what personal information is collected or sold, along with providing information about opt-outs from the sale of personal data.
- Create either a policy to specifically cover California residents to couple with current policies; or create one wholesale policy to cover all consumers.
- Update Data Stores and Business Processes
- Included in the California Consumer Privacy Act regulation is the requirement to maintain a data inventory to track data processing activities such as:
- Business processes
- Third parties with data access or transferal of data to third parties
- Products, devices, and applications that process consumer personal data
- The data inventory or database must track every consumer right’s request.
- Implement Procedures to Maintain Consumer Rights
- Certain consumer rights have been guaranteed by the California Consumer Privacy Act, including the rights of access, request, notice, and knowledge about personal data gathered by businesses. Consumers will be afforded the power to see and remove:
- personal information collected,
- the sources from which the information is gathered,
- the purpose for gathering the information,
- the categories of other parties with which the data was shared, and
- the specific personal information gathered about the consumer by the business.
- Businesses may provide personal information to a consumer at any time but do not have to provide requested information more than twice in a 12-month time frame.
- Update Security Measures
- An easily overlooked regulation of the California Consumer Privacy Act is the responsibility of the business to protect personal data with “reasonable” security. For many organizations, this includes performing a risk analysis and remediating high-risk vulnerabilities to maintain a baseline of security.
- Make Changes to Third-Party Agreements
- Third-party data processing will need an updated contract with requirements including:
- creation of vendor data inventories,
- use of due diligence questionnaires,
- providing records of the processing; requiring the syncing of consumer response processes; requiring onsite assessment and auditing; and requiring mapping of the specific data elements shared with each third party, including designating those transfer that qualifies as selling.
- Train Employees on the New Regulations
- At a minimum, any employee handling consumer inquiries for data collection and personal information must be informed of all requirements.
- It is recommended that more in-depth training on the California Consumer Privacy Act occur at all businesses dealing with the new regulations.
Penalties for Non-Compliant Businesses
Under the California Consumer Privacy Act, penalties are based upon unauthorized access incidents – be that breaches, exfiltration events, theft, or unauthorized disclosure due to poor security procedures and practices.
Fines will range from a maximum fine of $2,500 per violation for non-civil cases and a maximum of $7,500 for each violation in suits brought by the California Attorney General.
The intent is a critical component of each fine category, as the $2,500 fine is for non-intentional violations, while the $7,500 would be the maximum for intentional actions.
What are my next steps?
The California Consumer Privacy Act is more intensive than GDPR, requiring companies to take additional steps to ensure customer data is secure.
Most companies will need to consult with experts in data management, cyber security, and network security to ensure all aspects of the California Consumer Privacy Act are met before the regulations go into place.
The penalties and potential for embarrassment from a breach are strong and place an extraordinary amount of responsibility on businesses to keep data safe.
A partner like Archetype SC, with expertise in data, cyber security, and database management, is an excellent resource to answer questions and provide consultations on California Consumer Privacy Act compliance.