Sep 20, 2019
Data privacy regulations are completely changing how organizations do business, and the California Consumer Privacy Act, or CCPA, is no different. The CCPA lays down strict laws for how organizations must deal with consumers' private data, including which information is gathered, how it's stored, who it's provided to, and more. The act goes into effect on January 1, 2020, but organizations should already be preparing for it if they don't want to fall behind.
Becoming compliant with regulatory mandates like these doesn't happen at the wave of a magic wand. The number of changes proposed by the CCPA requires careful planning well before the act goes into effect. Consider this: the CCPA grants consumers the right to know how their data has been handled in the preceding 12 months, so a request made on January 1, 2020, applies to data processed since January 1, 2019.
This is why organizations should act now if they wish to be compliant when the CCPA goes into effect. Here are some critical steps organizations can take today to get ready for the CCPA:
Let's say a customer asks you what data your business stores about them. You consult your exclusive customer database and promptly get back to them with their name, address, and phone number. The next day, marketing sends them an email saying "We think you'll like these blue shirts since it's your favorite color!" Since you failed to inform the customer you have knowledge of their preferences, which is personal data according to the CCPA, you're in violation of the act.
This is just to highlight the fact that data is often stored in silos across various departments and network devices. You need to map out exactly what data you're processing, where you're getting it from, where it's stored, and how it's used. Preferably, you should only retain the data required for defined business purposes.
The CCPA levies heavy fines against a company if it fails to implement and maintain reasonable security procedures to protect data from unauthorized access, exfiltration, theft, or disclosure. Companies are liable to pay $2,500 for each violation or breached record. In fact, if the company fails to rectify the breach within the given 30-day notice period, the breach is considered intentional and the fine goes up to $7,500. Given that we're used to seeing millions of records breached in a single incident, fines for a similarly sized breach would be astronomical.
The act also empowers citizens to take private action against a company in case of a data violation. Companies are liable to pay between $100 and $750 per consumer per incident, or, as the act ominously states, "actual damages, whichever is larger."
Organizations share data with numerous parties during regular business activities. The CCPA aims to regulate this, and has laid down strict rules regarding the sale or disclosure of data to third parties.
For instance, if a customer requests their data be deleted, the company has to ensure it's deleted from third-party databases as well, regardless of if those third parties legally have to comply with the CCPA. It is therefore critical that you examine your data sharing practices with third parties, review third-party contracts, and revise them as needed before the act goes into effect.
Consumers have the right to request access to the data your company stores on them. They can also request that you delete this data, or opt-out of its sale to third parties. As a company, you have a responsibility to set up convenient channels for consumers to make such requests, authenticate the identity of the person making the request, act on the request, and communicate the status of the request to the consumer, all within a 45-day period. Given the complex ways in which data is stored in most systems, it's imperative that you build new (or modify existing) processes to deal with consumer requests and test that they work efficiently.
The CCPA explicitly states that employees in charge of handling consumer requests should understand critical sections of the act well, and know how to guide customers regarding requests about their CCPA granted rights. While educating employees is always a good idea, the CCPA mandates planned training programs to get employees up to speed on CCPA requirements.
The CCPA is set to bring about wide-ranging changes to the way organizations do business. Changes like these don't happen overnight—businesses that fall under the purview of the act need to plan their compliance journeys well in advance using a series of well-placed measures aimed at improving their data architecture, security, and business processes.