The start of the new decade also marked the beginning of the enforcement of a new law. In California, this law went into effect for the protection of consumers’ privacy. Assembly Bill 375 / Senate Bill 1121, commonly known as California Consumer Privacy Act (CCPA), gives consumers the right to demand to know what Personally Identifiable Information (PII) companies store and what the companies do with it. If companies do not handle customer data as stipulated by CCPA, consumers can sue them for privacy violations.
Which Companies are Impacted by CCPA?
Not all companies come under the purview of CCPA. The size of a company’s customer base, whether California residents are its customers, the company’s revenue, and the portion of its revenue from sales of personal data are all factors in determining CCPA’s applicability to that company.
Only companies with more than 50,000 customers that have California residents as their customers need to be CCPA compliant. Additionally, the company’s revenue must be more than 25 million dollars, with at least half of the revenue coming from the sales of personal data. Non-profit firms are exempt from CCPA.
Whether or not you fall into this category currently, it is a good idea for small businesses that are presently exempt from CCPA to still build a compliance framework. This is especially true if they expect their revenue and customer base to exceed the thresholds in the foreseeable future. So, what exactly do businesses need to be doing to comply with CCPA?
Steps to Take for Compliance
There are several things that a company must do to be CCPA compliant. We have identified three of the most important steps to help you begin your journey to CCPA compliance.
1. Have an adequate data classification and management infrastructure
Under CCPA, customers can request to know all of the personal data that companies have stored on them. They can also ask for the names of other companies who had access to this data in the past 12 months. Additionally, customers can ask that their personal data be deleted and opt not to have it stored in the future.
Businesses have 45 days to respond to customer requests. Hence it is crucial to have a data management framework that allows quick identification and easy extraction of customers’ data.
Not only do you need to ensure data organization, but data security. If you’re storing customer data of any kind, you must take the necessary steps to prevent theft from ransomware, hacking, internal threats, and the list goes on.
In 2018, we saw a 300% increase in ransomware attacks from the year before; 2019 saw even more. Connecting with a quality, experienced data security team is an easy first step to getting an assessment of your data classification and security needs.
2. Be proactive with customer notification and requests
Yes, California residents will come to know about the law and its implications. However, businesses will do well to proactively educate their customers about their rights and options under CCPA. It will favorably position your business as a responsible company that wants to do the right thing for its customers. And, when there are requests for information or action from customers, be sure to execute them well within the 45 days period that the law mandates.
Also, since CCPA is a new law, it is likely to undergo modifications. Keep your customers updated on all the changes to CCPA. This will continue to build trust with your clients, helping them feel that their data is secure under your roof.
3. Prepare for more state laws like CCPA
California may be the first state to enact a data privacy law like CCPA, but it’s probably not the last. The future is likely to bring more laws like it from the other states in the US. There might also be Federal consideration for similar or competing legislation.
While you are designing your data management network for CCPA, it’s a smart business decision to make it flexible and adaptable enough to accommodate future laws. And, if your business plans to expand into the EU, consider building a framework that can handle EU’s GDPR laws as well.
Complying with CCPA can seem overwhelming at first. But start with these three tips, and you’ll have a head start.
And, one other step: if your IT department does not have the bandwidth to take on CCPA, get the help of an expert in the field like Executech. Providing IT consulting services to businesses for over 20 years, we’re continually adapting to the needs of our customers and the state of the security atmosphere. Whether you operate an SMB or an enterprise in various sectors like banking or medical, we’ve developed systems and processes for each new need. We can help you achieve compliance with CCPA.
Contact us today for answers to your CCPA questions and what help you may need complying with the new law.