California Consumer Privacy Act: Use Best Practices and Gain a Competitive Edge
Companies that are fully prepared for CCPA compliance will reduce the risk of fines and gain an edge over unprepared competitors. The California Consumer Privacy Act (CCPA) goes into effect January 1, 2020, with enforcement beginning no later than July 1, 2020. Because California consumers can request their data use for the previous 12 months, companies need to be prepared to look back and provide data from January 1, 2019.
The CCPA, broadly expands the rights of consumers and requires companies to be significantly more transparent about how they collect, use, and disclose personal information. For compliance leaders, such as chief privacy officers (CPOs) and data protection officers (DPOs), the CCPA represents an opportunity to operationalize privacy and make it a strategic priority for gaining competitive leverage.
Who Needs to Comply With the CCPA?
Anyone for-profit entity that has customers or employees in California needs to be concerned about compliance. The CCPA affects companies that:
- receive personal information from California residents either directly or indirectly, and that annually generate revenue in excess of $25 million;
- receive the personal information of 50,000 or more California residents, devices, or households annually (directly or indirectly), or derive at least 50% of revenue from the sale of personal information about California residents.
Organizations that are affected by the CCPA and fail to comply risk being assessed fines of between $2,500 and $7,500 per violation for each consumer. For companies with large enough scope to be affected by the CCPA, this could result in fines in the millions of dollars. If that risk were not enough to get the attention of the chief financial officer or general counsel, the CCPA also has private enforcement mechanisms, which creates an army of potential enforcers.
CCPA Best Practices
To prepare for the impending regulation, CPOs and DPOs should obtain an approved compliance budget, develop the key IT, marketing and operations processes, and evaluate tools that will help their organizations build and implement a compliance plan. The plan will need to include a comprehensive data inventory describing which business processes are in the scope of CCPA and where the gaps are in compliance processes. Compliance leaders should adopt the following best practices to help achieve CCPA compliance:
- Draft Transparent and Understandable Policy Language. By January 2020, businesses must provide consumers with specific information pertaining to the new regulation. For example, consider a consumer that wants to shop at a large online retailer, and downloads the app. The user will receive a privacy prompt asking if they will allow the company to collect certain information, and must acknowledge that they understand the policy or would like to review it, by clicking an “accept” or another similar action button.
The app must also update those prompts to explain how the CCPA affects what rights users have related to privacy protection, and how those rights differ from pre-CCPA rights. To comply with this mandate, organizations must update privacy notices at least annually by describing how CCPA statutes affect data collection and users’ privacy options, ensure those notices meet the transparency requirements of any applicable laws, and formally document that process and their compliance with it.
- Create a Verifiable Data Loop with All Service Providers and Data Processors. Businesses are now required to report consumer data deletion requests from a company’s database to its service providers, which are also liable for noncompliance with the CCPA. Retailers that collect user data must also ensure that any customer relationship management (CRM) service provider or call center that it works with is also compliant with the CCPA. Companies that provide business services must also ensure they have the requisite privacy processes and mechanisms in place to support companies that use their services.
- Create a Timely and Responsive System for Data Requests. Consumers have the right to obtain their personal information from a covered business within 45 days of a request. Consumers also have the right to request their personal information in a format that allows them to transmit it to another organization (or competitor). To ensure compliance, organizations must review how they currently respond to data access requests, evaluate how well those processes work, address compliance gaps, and find ways to automate, scale, and simplify manual compliance-related processes.
- Verifiable Data Deletion Protocols. Consumers can request that businesses delete their personal information. Companies will need processes and mechanisms in place to respond to consumer deletion requests, identify where the data resides, and demonstrate to the customer that the information has been removed from their databases. Companies are also required to keep that process information for regulators.
CCPA Compliance Can Create a Competitive Edge If Done Right
Businesses that responded to the requirements of by creating comprehensive data governance practices, record the steps of their compliance efforts, and train their staff on individual rights procedures will have a head start on dealing with CCPA. However, all companies that fall under the CCPA jurisdiction (whether or not they are affected by GDPR) will need to strengthen their data management practices before the January 1, 2020 statutory deadline. Companies that get ahead of CCPA compliance will not only minimize the risk of statutory penalties and private enforcement actions, but will also be able to carve out a greater competitive edge over companies that lag behind.