CCPA compliance became a hot topic for anyone with business in California (physical or online) within just the last year or so.
As governments grow aware and critical of how companies use (and sometimes, misuse) consumer data, data privacy laws are becoming more prevalent. Beginning in January 2020, certain businesses operating in California were required to comply with the California Consumer Privacy Act of 2018 (CCPA). CCPA Compliance depends on several factors, including the location of the business, its gross revenue, and whether it makes a profit from buying or selling the personal information of California residents. These requirements can also include businesses that aren’t located in California, but do business online.
Wondering if it applies to you? You’re not alone. Since the law passed in 2018, many organizations have expressed their confusion over the scope and extent of the CCPA. That’s why we’ve compiled this helpful guide. Here’s the basics you need to know about the CCPA and how to achieve compliance with it.
The CCPA is a landmark law that gives California consumers significantly more control over how businesses collect and use their personal information. It applies to any for-profit business operating in California that meets any one of the following conditions:
The CCPA grants California residents many new rights regarding the control of their personal information. CCPA compliance is tied to making sure your business has the proper notices and procedures to respect these rights. Consumers have the right to:
The CCPA and the EU’s General Data Protection Regulation (GDPR) both fall into a similar class of data privacy laws. However, they differ in both their scope and the rights they afford consumers. Notably:
Achieving and maintaining CCPA compliance in your business will require you to review your current policies around data collection, storage, and use. We recommend that you:
The CCPA requires businesses to “implement and maintain reasonable security procedures and practices” but doesn’t outright define what this means. Some things you can do include:
The CCPA allows consumers to demand businesses take specific actions regarding their personal information, including handing it over or deleting it. For CCPA compliance, you’ll want to make sure you have developed policies and procedures to support these demands, and that your staff knows what to do when they arise. Include in your training:
You’ll need to provide a way for your consumers to exercise their rights under the CCPA. The exact method this takes will depend on your company and its infrastructure. You may:
Although the CCPA doesn’t explicitly mention “look back” in its language, a 12-month retroactive requirement does exist. When a consumer requests to access their personal information, you must be able to provide records covering the one-year period preceding the date of the request.
If you haven’t already, create a data inventory using a classification method to identify what personal information falls under CCPA compliance requirements. Keep this on hand in the event of requests.
Many websites now include banners, links in the footer menu, or other features that allow users to opt-in or opt-out of the various data collection processes that businesses use. If you haven’t updated the company website to reflect this, you should do so now. Make sure that these links are:
For-profit California businesses that meet one of the three conditions mentioned earlier in this article are now required to achieve CCPA compliance. Don’t wait until a consumer comes along and discovers that they have no way to exercise their rights. Update your policies and procedures now to protect yourself from lawsuits and data breaches. Securicy can help.