Everything You Need To Know About CCPA Compliance
10/22/2020
The California Consumer Privacy Act (CCPA) came into effect on 1 January 2020. The strongest consumer data protection law in the U.S., it lays out the rules for handling customer data, similar to the EU’s General Data Protection Regulation (GDPR), which is considered the most important and comprehensive set of regulations around data privacy.
What happens if you don't comply? – your business could be liable for a heavy fine, as mega-companies like TikTok and Google who have fallen short of the GDPR compliance have discovered.
In this blog, we will outline everything you need to know about this new data privacy law.
Who does the CCPA apply to?
In a nutshell, the CCPA protects the data privacy rights of residents of California and governs the businesses that handle their personal information.
The CCPA applies to all for-profit businesses operating in California that collect and process personal customer information and that meet the following requirements:
- Exceeds $25 million gross revenue annually
- Handles the personal information of 50,000 or more customers
- Acquires more than 50% of annual revenue from selling personal customer information
The law also applies to any business that controls or is controlled by an entity that meets the above criteria.
The CCPA is enforced by the California Attorney General, and currently provides businesses 30-days to comply if accused of noncompliance. Fees of up to $2,500 per violation or $7,500 for intentional violations can be imposed.
How does the CCPA compare with the GDPR?
Any company that handles or processes the personal data of EU residents will be familiar with the comprehensive regulations set out by the GDPR. The two laws overlap in several ways and share certain principles including:
- The enforcement of breach notifications
- Privacy by design
- Access, portability and erasure
- The right to object and correct
The CCPA focuses on enforcing consumer rights, and customers are guaranteed the following:
- The right to request information about how their data is used and shared
- The right to be forgotten
- The right to control who has access to their information
- The right to opt out
- The right to refuse the sale of their information
What business need to know
Under the CCPA, businesses have the responsibility to protect their customer data and to adhere to customer requests.
Some of the main provisions businesses need to comply with include:
- To publicly disclose and inform customers of the existence and nature of their rights under the CCPA
- To disclose data breaches as required by law
- To update their privacy policies to include the collection of private data
- To not discriminate towards customers who choose to opt out
- To understand the restrictions that apply to the sale of personal customer information
- To allow customers to choose not to have their data shared with third parties
- To adhere to customer requests within 45 days
- To secure opt-in consent for the sale of children’s data
Steps to achieve compliance
In order to be compliant, businesses in California will need to update their privacy policies and terms of usage and honor all customer requests regarding the handling of their data. The biggest change however, is to adopt a shift in how your entire business views customer data.
Best practice steps include:
- Adopt a risk framework to form the foundation of your new policies
- Align your security policies and practices across all teams.
- Ensure all employees are aware of the new regulations and procedures in place
- Reach out to third parties about their compliance.
- Invest in data protection software to control the flow of data in your business.
By incorporating privacy in design, you ensure that every system and process in your business takes place with a solid foundation of data privacy best practice.
In order to ensure complete compliance with the CCPA, businesses will also need to invest in the technology needed to ensure data is protected at every stop. Data protection software such as sensitive data discovery and data masking, for example, satisfy multiple use cases and compliance requirements, including HIPAA, GDPR, GLBA, and PCI among others. Sensitive data discovery locates and classifies sensitive data in your organization, making it easy to take remedial action, whether through data masking, encryption or removal.
More changes coming
This month, the California Department of Justice proposed additional modifications to the act. The latest changes propose even stricter provisions for offline notices, “Do Not Sell My Personal Information” opt-out requests, authorized agent requests, and the handling of children’s information.
Hush-Hush offers a range of data protection solutions including sensitive data discovery and data masking, and is trusted by businesses of all sizes to maintain a tight rein on security.
Request a demo with a privacy expert now.