For decades, consumers on both sides of the Atlantic have been concerned about the ways in which businesses collect, protect and use their sensitive, personal data. Those concerns resulted in the passage of the General Data Protection Regulation (GDPR) in the European Union several years ago.
That legislation impacted American companies collecting personal data from customers in Europe, but many states felt the need to extend broader rights to consumers in the U.S. One of those states was California, which in 2018 passed the California Consumer Privacy Act (CCPA).
What is the California Consumer Privacy Act?
Among the new rights enjoyed by citizens of the state, consumers will now be able to know what data (and types of data) businesses collect, as well as the reasons for data collection. They will also gain the right to refuse the sale of their personal information to third parties, ask that businesses delete their data, and perhaps most importantly, sue companies if their personal information is breached or otherwise compromised.
As Business News Daily points out, CCPA gives consumers a wide slate of new rights, but affected businesses don't need to comply with every consumer request, and knowing which requests are the important ones is critical to the smooth functioning and continued viability of their companies:
"…CCPA is a bill that will require businesses to implement new policies and procedures to ensure the protection of personal information. This includes privacy policies, security protections and facilitation of consumer rights. However, businesses are not required to honor all consumer requests. Each should be analyzed to ensure the business is only honoring those applicable..."
Most California Businesses Don't Know How CCPA Affects Them
The new legislation went into effect on January 1, 2020, but many companies in the state remain in the dark regarding the impact the new law will have on their businesses. In one recent survey of affected businesses, for example, almost half couldn't even describe what CCPA is. Of those who could, less than 12% knew if the law had any impact on their companies—and more than 1 in 3 said they didn't know if they needed to do anything to make changes in their data collection and privacy policies to prepare for CCPA.
That lack of understanding could be costly for many California businesses. For example, last year was one of the most active in the state for data breaches—a total of more than 6,500 affecting approximately 5 billion data records.
What New Rights Does CCPA Give Consumers?
According to Californians for Consumer Privacy, CCPA give consumers the right to:
- Know about all the data a business collects about them
- Know what "categories" for data are being collected
- Know the company's rationale for collecting those data (both before and after it's collected)
- Disallow companies from selling their data to third parties
- Request that companies delete their personal data
- Know about any third parties with whom their data is being shared
- Sue businesses when their personal information is compromised (for example, through a data breach)
What Do Businesses Need to Do with CCPA?
To begin, CCPA covers businesses that make $25 million or more, sell at least 50,000 consumer records, or earn half of their revenues from selling consumer information per year. This will include companies not located in California that do business with consumers in the state. In other words, CCPA will impact not only large, enterprise organizations, but also many small and medium size businesses in the state.
That said, impacted businesses regardless of their size will need a smart strategy to prepare for the roll out of CCPA. Although every business is different, for the lion's share this means taking the following 3 actions:
1. Get Informed
Many companies in Europe and America were caught off guard by GDPR. Since the inception of that law, for example, almost 60,000 GDPR data violations have occurred in the European Union alone, and many businesses were forced to close shop because of their inability to meet compliance requirements.
That experience serves as a cautionary tale for American businesses about CCPA. The first thing you need to do, in other words, is understand (perhaps with third-party assistance) the nuances of the new law (including what data are covered and fines for violation of the law) and identify any internal processes regarding the ways you collect data and the ways you communicate with customers that could be risky for your business. It's also critically important to assign someone within your business chief responsibility for ensuring compliance with the new law.
2. Review Your Customer Communications
You might think your communication with customers is straightforward and transparent, but your customers might disagree. In one recent survey of almost 300,000 U.S. consumers, less than 8% said they knew how their data was being used by businesses.
Relying on traditional consent notices could be dangerous. Those disclosures are typically complicated and difficult to understand—one of the reasons almost 80% of consumers confess to not reading them from start to finish. Your company will need to find other, more accessible means to ensure customers fully understand what data is being collected, why your business needs it, the uses to which it's being put—and to explain consumers' new rights under CCPA.
3. Ensure Your Data Partners Are CCPA Compliant
Under the new legislation, your company could be held liable if any of your data partners or vendors violates the terms of CCPA. That means you need to make sure each of those vendors is fully compliant with CCPA. In other words, you need to have a frank exchange with every vendor about their data practices.
For example, you need to ask them if they've taken steps to ensure compliance, how they generate data and how they communicate their data practices with customers. You should also establish who within their business is responsible for CCPA compliance, and how that person will work with your business to ensure compliance in the future.
Conclusion
Laws like the California Consumer Privacy Act can be both complex and confusing, especially for relatively small companies that don't have the time or in-house expertise to ensure compliance. If anything, the future will be even more complex, with small businesses potentially juggling multiple consumer privacy laws, some of the provisions of which could be contradictory. Fortunately, there are businesses that can help, giving you the advice and guidance you need to succeed.
IT Guidance for California Businesses
At Accent, we provide our clients with guidance and recommendations for all kinds of decisions that have to do with technology.
Contact us for a free IT assessment. If will give us the chance to get acquainted and you can get actionable recommendations for IT improvements whether we end up working together or not.