The California Consumer Privacy Act, or CCPA, seemed to take an age between being signed into law in 2018 and coming into effect in January of this year. Even after this long lead-up time, businesses were given an additional six months of grace. That six month has just come to an end on 1st July.
So now that CCPA has properly come into effect, what’s your business doing about it?
You might be doing nothing. On the face of it, the threshold for whether you need to comply with CCPA or not seems quite high. You need to satisfy at least one of the following:
So this would only apply to the big fish or those involved in data brokerage, right?
Maybe not. Consider a website that generates most of its income through targeted ad revenue. The third-party cookies installed on the site will be gathering personal data and that means the data is, in effect, being sold to advertisers by the website owner. If that describes your site you, might well need to be comply with CCPA stipulations.
And for businesses that don’t sell data for advertising, remember the CCPA is only in its early iteration. Amendments are coming down the line. For instance, it might be wise to watch out for changes to the somewhat vague definition of what the ‘sale’ of data actually is. There has been a great deal of back and forth about this, and tweaks to this definition can mean that organizations that might today consider themselves outside the CCPA remit will find themselves having to comply with CCPA regulations.
But what if you know your business needs to be compliant and you have taken all steps necessary to protect personal data and allow consumers to exercise their rights? That’s great! But please don’t rest on your laurels. As I mentioned above, the CCPA itself is subject to change. And if that wasn’t enough the California Privacy Rights Act (CPRA) is now on the state’s November 2020 ballot. This proposed legislation has the intention of giving Californians “the power to take back control over [their] personal information, expand consumer rights, create more transparency and establish an enforcement arm to protect these rights”.
Watch that space!
The pandemic has also changed the way many companies do business. Whether exploring new markets or adapting to changing consumer behaviour, you may have changed your whole business model and what you do with the data you gather from your customers. You should review the changes you’ve made, to make sure your disclosure processes are still in line with the data you gather.
And finally you might be in the third category of CCPA readiness. You think you need to be compliant, you’ve done some work on it, but you know it’s not enough. Well, the world did kind of turn upside down, didn’t it? Many businesses are worried about literal survival. But the act is now being enforced, and penalties are pretty stiff.
As a start, you need to do the following right now:
o Focus all your attention on CCPA compliance.
o Determine what personal data you collect from whom and understand how it is processed, where it is transmitted and stored and for what purpose.
o Contact third party data processors to ensure they can comply with CCPA requirements.
o Draft the notices and disclosures and create a process to respond to customer requests including for data deletion.
A final point. If you have the resources to spare, it might be worth laying the ground-work in readiness, even if you fall outside the CCPA guidelines. Privacy is a hot issue and states will continue to introduce new guidelines. Getting ready now will save you a glut of hassle later.
Wherever your business is in terms of CCPA readiness, it makes sense to talk to a third party with a proven track record in helping organizations with compliance. The experts at TBG Security can reassure you that you’ve done all you need to do, help you get over those final hurdles, or get you sprinting out of the starting blocks. Contact them today.