Q&A on the CCPA: Understanding California’s New Data Privacy Law
6 May 2020
The new decade brings many challenges and changes to business by introducing a data security law that is the first of its kind stateside: the California Consumer Privacy Act (CCPA).
As of January 1, 2020, the CCPA is in effect for all businesses serving California residents. Companies have had to put in the time neccessary to reorganize both their stored data and processes to ensure they comply with the new rules. But if you’re new to the law and have questions, don’t panic. We’ve done our best to answer them here.
I missed the January 2020 deadline! What should I do now?
Underprepared companies can find themselves subject to fines and penalties issued by data owners (individuals, who are accountable for data assests). These fines must be paid and rectified within 30 days. These penalties are retroactive for 12 months, meaning that your company could potentially face repercussions from mishandled data from up to a year prior. However, it may take some time before the law is formally enforced in its entirety. Regardless, it’s imperative that you assess where your company stands with data privacy policies. You must create a map of all the information your company stores and identify which will need to conform to CCPA regulations. And, once you feel that your company has achieved compliance, there are likely to be more modifications and updates needed to remain in good standing. Generally, businesses should understand CCPA compliance as an ongoing process rather than an isolated achievement.
What are the main components of the CCPA?
The CCPA gives California residents the right to know what personal data is being collected from them and whether it is sold or sent to anyone. In this case, they are able to opt out of the sale of their personal data as well as request access to it at any given time. They are protected by their own privacy rights, which means they can go as far as to request the deletion of their personal data, no questions asked.
Does CCPA apply to businesses located outside of California?
If you deal with clients and companies that serve California residents, you must comply with the CCPA. For some reason, the new law has not been made widely known to business leaders around the world. Around 44.2% of business leaders surveyed by ESET in 2019 still hadn’t heard of the CCPA. So it is imperative that you take action to protect your company from scandals and lawsuits. Companies responsible for compliance don’t have to be based in California, or even the United States. If they interact with California residents, they fall under the conditions of the law. Additionally, if they have personal data on a minimum of 50,000 people, earn over half of their revenue from selling personal data, or have annual gross revenues above $25 million, they are also included.
What is the new California Consumer Privacy Act?
Is it difficult to comply?
CCPA requires you to update your company’s privacy notices and policies. It is also necessary to include data consent information on your webpages. The trickier part comes with establishing the necessary processes for consumers to request, access, change, and erase their personal data. Many companies have outsourced some of these tasks to third-party officers responsible for making sure the data gets properly categorized and secured. These individuals are also able to conduct employee trainings on crucial CCPA compliance requirements so that you can focus on organizational needs.
How should a business deal with users who make data-related requests?
First, it is your responsibility as a business to create the means for users to submit requests regarding their personal data. Your website should include the necessary contact information as well as an application for formally submitting requests. On top of that, you must have a way of validating the identity of the user to avoid putting personal data into the wrong hands. If a business is unable to confirm the identity, a written explanation must be provided in order to stay transparent and accountable in the eyes of the CCPA. Some larger companies, like Google, are taking steps to offer service provider guidance to help partners comply with CCPA. So be sure to check if you qualify.
Are data privacy laws here to stay?
Many believe that the CCPA is just the beginning for data privacy laws in the U.S. Other states are expected to follow suit and create their own laws modeled on the CCPA. Critics often point to the financial burden placed on companies that must revamp and change processes in order to comply with regulations. The Standardized Regulatory Impact Assessment (SRIA) estimates that the CCPA will cost businesses $55 billion in total, with many businesses failing to achieve total compliance due to the act’s complexity. Because of this, some say that simply enacting new laws will not get to the root of the problem. Companies dealing with data feel entitled to its unrestricted use, regardless of the consequences to both they and their customers. It will take some time before society’s mindset toward internet safety takes a turn for the better. Despite this, the foundation is currently being laid by laws like the CCPA and GDPR, which put the consumer first.