CCPA compliance: Are you ready for 2020?
The California Consumer Privacy Act (CCPA) will go into effect January 1, 2020, requiring businesses to provide transparency, control and accountability around their data collection and use policies. Enforcement is slated to begin July 1, 2020.
The CCPA began as a grassroots movement in Oakland started by real estate professional Alastair Mctaggart who, after chatting with a friend working at Google, became concerned about how much of our personal information was being gathered, used and sold between large companies.
After researching online tracking and data mining, he learned that the U.S. had no rules around how companies could collect and use consumer information.
In just a decade or so, the amount of time people spend interacting with technology has multiplied exponentially.
Every interaction generates more information about our habits, preferences and private lives. Companies can use that data to provide more targeted offerings or sell it to other companies for large profit.
With the spread of AI and internet-of-things (IoT) technologies, Mctaggart knew the situation could only get worse.
The story of how Mctaggart acted upon his concerns, got the help he needed to draft a bill, obtained enough signatures to bring it to the ballot, and then ultimately worked with stakeholders to draft final legislation that the California senate passed unanimously is fascinating and inspiring — and also fraught with setbacks, potential disaster, and compromise.
But it is the perfect example of a concerned citizen taking an action that inspired a movement, which continues to gather steam around the globe.
What does the CCPA do?
The main goal of the CCPA is to improve the security and protection of an individual’s personal information. The CCPA offers consumers:
California residents have the right to know what has been collected about them or their children, including any activity or data gleaned from their devices, and they have the right to tell businesses not to share or sell that information.
Once a year, businesses are required to inform people of what categories of information they have collected about them, their devices or their children. If that information is sold, they also have to let people know what categories of information were sold and to whom.
California residents have the right to control what personal information is collected.
Consumers can have their personal information deleted from a business’ servers under specific circumstances. If a consumer tells a business not to share or sell their private information, the business cannot charge more or deny access to services. Businesses must prominently display a “Do not sell my data” link where consumers can opt out.
Businesses are required to implement “reasonable security measures” to protect the personal information of California residents. If a breach does occur, businesses must file a report immediately. Businesses that do not adequately secure personal information will be subject to stiff fines and other penalties.
The CCPA applies to any organization worldwide doing business in California and exceeding annual gross revenues of $25 million, holding personal information of 50,000 or more California residents, or receiving 50% or more annual revenues from selling California residents’ personal information.
What are the business impacts of CCPA?
All businesses everywhere need to step up their information handling and data protection strategies now.
While the CCPA applies only to businesses with customers in California, it is only a matter of time before other states implement their own legislation.
A national policy is also on the drawing board.
For international businesses, the CCPA adds another layer of privacy regulation atop the General Data Protection Regulation (GDPR) covering EU citizens. Fortunately, the two regulations have a lot in common, so if you have already implemented a GDPR strategy, you will have a solid start toward CCPA compliance. However, several other countries have already begun drafting legislation, which will further complicate things.
Organizations in most industries will ultimately need to comply with a range of regulations, the specifics of which are likely to evolve over time. With that in mind, it’s critical to develop global privacy policies that are well thought out in relation to your business — and that extend beyond simply meeting current regulation requirements.
Approaching privacy as a corporate value will not only keep you ahead of the regulations but will position your company as a forward-thinking, concerned business.
You also need company-wide processes in place to help streamline your compliance efforts, and they need to be easy to follow and understand so that workflow is minimally disrupted. If they are cumbersome or disruptive, your people will find ways to sidestep your policies.
Ultimately, your policies and processes should help you comply with 90% of the privacy regulations you are responsible for.
But you don’t want to risk noncompliance.
Not only will you face steep fines and penalties, but the damage to your brand and to consumer confidence in your business will be enormous.
Under the CCPA, your organization will need to be able to have visibility into what types of data you possess and where it is located. You’ll also need to be able to take certain actions with this data — i.e., encrypt it, apply rights access controls, redact it, de-identify it, delete and so on.
Many organizations struggle to know what types of data resides within their systems, let alone how sensitive it is and which regulations apply to it.
In a recent Forrester survey, 28% of respondents named their top IT challenge as compliance with new privacy laws.
Get the help you need to achieve CCPA compliance
Titus solutions can help you protect all of the personally identifiable information and other sensitive data generated during your day-to-day business as well as the existing data you have residing inside your networks.
For more information on CCPA and how Titus helps enterprises achieve compliance, download our solution brief.
Don’t wait until the CCPA goes into effect.