Here Comes CCPA - Is Your Business Ready?
Does your company collect consumers’ personal data, do any kind of business in California, and satisfy at least one of the following criteria?
- Possession of personal information of 50,000 or more consumers, households, or devices
- Annual gross revenue of more than $25 million
- Earnings that equate to more than half of its annual revenue from selling consumers’ personal information
If so, you better be ready for the California Consumer Privacy Act of 2018 (CCPA). The new rules, which go into effect on January 1, 2020, are designed to strengthen the privacy rights and consumer protection of residents of California. And they could have a big impact on small and mid-sized businesses (SMBs) that rely heavily on data as part of their model.
The act is intended to provide state residents with the right to know about any personal data being collected about them. They can now know whether their data is sold or disclosed, to whom, and a number of other rights related to personal data.
What are the requirements of CCPA?
The regulations have four main requirements. One is the protection of personal information, which is defined as data that identifies, relates to, describes, is capable of being associated with, or could reasonably be directly or indirectly linked to a particular consumer or household.
The second is the disclosure of the sources, categories, or specific pieces of consumer information collected, sold, or disclosed for a business purpose. The third is the deletion of data if requested by a consumer. And the fourth requirement is enabling data access and portability if requested by consumers.
The repercussions for failing to comply with CCPA can be significant. Companies that experience data theft can be ordered in civil class action lawsuits to pay statutory damages of between $100 and $750 per California resident and incident. In addition, they would have to pay a fine of up to $7,500 for each intentional violation and $2,500 for each unintentional violation of the law.
Research shows that many companies are not prepared to meet the requirements of CCPA. For example, a 2019 report by Dimensional Research showed that a majority of U.S. companies (88%) need help complying with the new rules. The study was based on an online survey of 250 IT and privacy/legal professionals.
A mere 14% of the companies surveyed by Dimensional said they were compliant with CCPA, and 44% had not yet started the implementation process. A majority of the companies (62%) said the biggest motivation to comply with the rules is to meet partner and/or customer requirements.
How Your Business Can Be Prepared
By now, most companies subject to the privacy rules should be well on their way to evaluating the data management and privacy measures they already have in place and determining what needs to be updated. It’s not too late to get the process in motion.
Research firm Gartner has suggested a few steps toward ensuring compliance and developing an effective privacy program as part of technology, information, and resilience risk management.
One is to identify the organization’s existing capacity to address subject rights requests (SRR) under the CCPA by measuring the speed, cost, and scale of SRR fulfillment. These will become the central metrics for reporting and monitoring progress, the firms says.
Many companies struggle to create a coherent data ecosystem, caused in part by siloed environments and fragmented data management practices, the firm says. Meeting the CCPA requirements demands that businesses maintain up-to-date knowledge of the personal data they’re holding and the capacity to act on that knowledge.
Another good practice is to deliver a user-centric experience by establishing a consumer rights fulfillment program around transparency and clear communication. Gartner states “the CCPA is a business opportunity for organizations to attract new prospects and drive depth and stickiness in their existing customer base.”
As the firm points out, consumer privacy legislation is sweeping the nation, with states beginning to take extensive action to protect their residents’ data. CCPA introduces new challenges when handling personal data and raises the baseline across the U.S., Gartner says. Texas, Washington, and Massachusetts are making strides to follow suit.
Companies should “seize the opportunity to position their privacy program as a competitive advantage and not merely for compliance,” Gartner says. A side benefit of working toward compliance is that it also helps companies better protect customer data, which is something that should always be on the radar anyway.
Any SMB that meets the criteria for being subject to the rules should take action now.
Indeed, it would be a mistake for SMBs to assume that CCPA doesn’t apply to them. The potential financial impact for failing to comply can be huge—especially for a company with limited resources.