CCPA Compliance Resources

What is the CCPA? How could it impact your enterprise?

The California Consumer Privacy Act of 2018 (CCPA) takes effect as law on January 1, 2020, granting California residents new rights with regard to the collection and use of their personal information. It also presents corporate legal and compliance professionals with complex CCPA compliance challenges.

Why does the CCPA matter?  California is the fifth-biggest economy in the world, and any company hoping to do business in the Golden State via digital channels has to be compliant with the new law in order to keep operating there. Plus, there are over a dozen other U.S. states that have enacted or are considering data privacy laws. So installing processes and tools for CCPA compliance can prepare you for dealing with other regulations.

Who does it apply to? The CCPA applies to for-profit companies meeting at least one of the following criteria:

• Has an annual gross revenue of $25 million or more
• Buys, uses, sells, or shares the personal information of at least 50,000 consumers, households, or devices within California
• Receives at least half its annual revenue by selling consumers’ personal information

Is there anything else? You bet! Here are instances where you still must be ready to show CCPA compliance:

• If you supply goods or services to a company that’s required to comply with CCPA, or have a contract with one, or otherwise do business with one. Even if you’re only supplying tote bags to a business covered by CCPA? You’re also obliged to be able to prove compliance.
• If you fall under one of the rules above and you’re not based in California, nor do you have a physical location in California.
• If you fall under one of those rules and are a company that “de-identifies” data collected about individuals, stripping it of elements that might be used to identify a person in order to use the de-identified data for purposes like statistical analysis.

Does the CCPA include a “right to be forgotten”?  Yes, like the GDPR, but the CCPA’s interpretation of this right creates extra work for data and compliance managers:

• If a consumer requests you delete their data there can be exceptions, such as data you need in order to complete your business with that individual.
• If you need to mail them a product they’ve paid for, or keep track of their purchase history for tech support purposes, you don’t have to grant the request.
• If you’re under a legal obligation of some sort to keep their data, you don’t have to grant their request.

Any other wrinkles? One is that a consumer can permit you to keep but not share or sell their data. So you’ll need to manage their data based on each individual request.

If I’m not compliant, will it hurt?  California is expensive, all right: If you’ve failed to delete a personal data record when requested, or it’s sold without the person’s permission, or leaked, the minimum fine is $2,500 per record. The fine escalates the longer it takes to fix the issue, too. If it’s determined that a breach was due to a known issue you ignored, the fine can automatically shoot up to its cap of $7,500 per record. Multiply this times the number of records that might be involved and you can see how noncompliance can get ruinously costly.

How can technology enable CCPA compliance?

The complexities of dealing with more and more new regulations like the GDPR and CCPA have made traditional processes and tools obsolete. To cost-effectively mitigate potential risk and exposure, companies are turning to state-of-the-art legal and GRC software solutions.