There is something you really need to know about the State of California. They have optimized around a key function that they do very very well. They know how to collect money from corporations. They know how to collect taxes, and know how to levy large fines and collect on them. The business that owes California money will pay, and the State will likely do everything in their power to make sure they pay as much as the law allows.
Keep this in mind as you consider the recent change to California law known as the California Consumer Privacy Act (CCPA) (aka California 2020).
The law goes into effect in January 2020. There are indications that there will be a very small grace period (up to 6 months) since some final regulations may be promulgated in January. But after that, if you are in violation you can be fined and the State will come for you.
The regulators who formed the law were informed by the EU’s General Data Protection Regulation (GDPR) and there are some similarities (both are broad in defining personal information). But the CCPA is even stricter. Here are key requirements in the CCPA:
The Right To Access:
- Consumers have the right to request that businesses disclose to them the info they have collected on them.
- This includes far more than just info collected online. It is any personal info from any source.
Right to Request:
- Consumers can ask that businesses disclose to the customer key information including how data is shared.
- Consumers can request that their data not be shared.
Right to Delete and Opt-Out:
- Consumers have the right to request that businesses delete personal info about them.
- Consumers can direct businesses not to sell their info
- Businesses must put in processes to ensure this works for consumers.
More CCPA Details:
The CCPA exempts many businesses. Most small businesses with gross revenue under $25m, and most organizations that handle less than 50,000 consumers, have broad exemptions.
The CCPA, like the GDPR, includes fines for violations, but they are calculated differently. The GDPR came with a maximum fine of 4% of global revenue. The CCPA comes with a fine of up to $7,500 per individual violation.
Consumers can also claim damages if companies do not comply, including if they allow data to be stolen (a breach).
The CCPA mandates appropriate technical and organizational measures to protect data.
Methods of communicating with consumers and letting them know how to exercise their rights are also dictated.
Our recommendations:
- If your business has not been taking this seriously, it is time to mount a full court press. Get the entire leadership team in a room and map out an action plan.
- Know what personal data you have on employees, customers and the market in general. Know how it is secured in storage and in rest. Know who has access to it. Now is the time to review your internal data classification policies and automate what can be automated regarding data classification.
- Know your business operations. Do your sell or share personal data? Are you sure of your answer?
- Exercise the key scenarios in the law. How will your firm respond to requests from consumers? How will you validate that their request was honored?
- Understand the role of your service providers in your data architecture.
- Evaluate your incident response plan.
- Develop and deliver a focused workforce training plan. With the CCPA, like other compliance and security domains, your workforce is your first line of defense.
- As part of your workforce training, ensure executive training and also incident response rehearsal through simulated exercises. Table top training exercises should put the executive team through the paces regarding consumer data requests and rights, as well as response to breach.
- This is a law, and that means you should engage legal counsel. But you should also read the law yourself. This will save you time and energy and will make sure your lawyer knows they are dealing with someone who really cares. Read the new law at: CCPA.
