What is CCPA and will it affect your business?

In June 2018, California’s Governor signed into law the California Consumer Privacy Act (CCPA) and it goes into effect January 1, 2020. The CCPA is the most comprehensive privacy law to date in the United States and it is designed to give Californians more control over their personal information.

CCPA only applies to businesses that have:

• annual revenues exceeding $25 million
• records of more than 50,000 individuals, households or devices
• 50% of revenue coming from selling personally identifiable information (PII)

However, CCPA provides unprecedented privacy rights to California residents, marking a preeminent shift in U.S. data privacy governance which will require significant changes to organizations’ data protection programs. CCPA’s impact will extend far beyond California’s state border as it will most likely serve as the de facto national standard for organizations that process personal information about U.S. residents. With additional state bills fostering similar requirements, your organization might consider expanding CCPA’s privacy protections to individuals you serve across the U.S. for operational readiness in preparation of other forthcoming legislation.

The first thing organizations must do is understand what information is being collected on individuals and determine where or how this information is being processed. This can be accomplished by performing a data asset inventory and data mapping to get a better understanding of where data is coming from and being stored, processed, and exported.

Next, organizations need to determine why the information is being collected and for what purpose. Is the information being sold? Is the organization being transparent with individuals on how their information is being handled? Finally, organizations need to ensure that they have appropriate controls in place to keep Californians’ personal information private and secure.

CCPA extends the definition of personal information to cover a household versus GDPR which only applies to personal data. Another big difference between CCPA and GDPR is that GDPR is opt-in where the consumer must subscribe to be part of the data collection. CCPA is opt-out, requiring the consumer to take measures to stop the data from being collected.

Organizations need to prepare for the future of privacy and security regulation by adjusting business processes and activities to comply with CCPA provisions. Initially, this would include developing an understanding of how your business handles consumers’ personal information across your organization including human resources, customer service, and vendor management departments. And, closing information security gaps and system vulnerabilities. It also will be necessary to properly update privacy policies to comply with CCPA requirements and put into place processes to implement CCPA’s opt-out and deletion requirements.

With experience assisting clients to achieve GDPR readiness and ongoing compliance, I am poised to assist your organization’s security assessment team to verify that personal data is secure, implement the necessary process and procedure changes to be CCPA compliant, and develop or revise your privacy policies to incorporate required information security language. If your organization does not have the time or budget to initiate a workflow to put CCPA controls in place, I can assist with your compliance effort with minimal to no disruption to your existing day-to-day business.