Cybersecurity and data protection are top priorities for the modern enterprise, and the concern is growing for today’s consumers as well. Beyond best practices and self-imposed processes, certain governing bodies can require organizations to meet even higher security standards through different compliance initiatives, such as HIPAA, FERPA, or GDPR. Starting in 2020, California companies will be adding California Consumer Privacy Act (CCPA) to their list of regulatory requirements—and the rest of the country may not be far behind in adopting this new consumer privacy bill.
Recognizing the Need for New Compliance Standards
The need for these new compliance measures are outlined within the bill’s text, stating that “California law has not kept pace with [technology] developments and the personal privacy implications surrounding the collection, use, and protection of personal information.” Sparked by the “devastating effects for individuals” through the “misuse” of data by Cambridge Analytica and other data breaches, CCPA intends to enable California consumers to “exercise control over their personal information” with “safeguards against misuse of their personal information.”
Protecting and empowering consumers is a key component of building trust and long-lasting relationships with customers, but is your organization ready to comply with CCPA requirements?
What is CCPA?
Passed on September 13, 2018 and effective on January 1, 2020, the California Consumer Privacy Act, or AB 375, will require organizations to focus on user data and provide transparency in how they’re collecting, sharing and using such data. This new privacy law grants any California consumer the right to:
- Know what personal data is being collected about them
- Know whether their personal data is sold or disclosed and to whom
- Say no to the sale of personal data
- Access their personal data
- Request a business delete any personal information about a consumer collected from that consumer
- Not be discriminated against for exercising their privacy rights
Like GDPR and other compliance measures, CCPA is designed to advocate and support individual consumers in this ever-evolving IT environment.
Does Your Business Have to Comply with CCPA?
Any for-profit organization doing business in California that collects consumers’ personal data and meets the following qualifiers must comply with CCPA:
- Has annual gross revenues in excess of $25 million
- Annually buys, receives for the business’ commercial purposes, sells or shares for commercial purposes, alone or in combination, the personal information of 50,000 or more consumers, households, or devices
- Derives 50% or more of its annual revenues from selling consumers’ personal information
While the current compliance requirements are limited to California, this new privacy law could signal the beginning of a nationwide change, similar to GDPR regulations in Europe.
What are CCPA Requirements?
For businesses that must adhere to CCPA law, compliance breaks down into 5 main requirements:
- Data inventory and mapping of in-scope personal data and instances of “selling” data
- New individual rights to data access and erasure
- New individual right to opt-out of data selling
- Updating service-level agreements with third-party data processors
- Remediation of information security gaps and system vulnerabilities
Companies already following GDPR guidelines will have a bit of a leg up becoming CCPA-compliant with the two privacy measures overlapping in certain areas. But meeting all the requirements for the new CCPA standards will still take diligence even for those already compliant in other areas—and face new consequences for any gaps.
CCPA Penalties and How to Avoid Them
As with any compliance enforcement, violating the CCPA comes with a price tag. under Section 17206 of the California Business and Professions Code penalties are $2,500 for an unintentional violation, and $7,500 for intentional violations. Yet, the real potential impact for organizations to get hit under CCPA comes from consumers’ ability to sue companies if CCPA guidelines are violated, even without any evidence of actual damage. The new privacy law will allow individuals to recover between $100 and $750 per incident—or greater if there’s solid evidence that damages exceed $750.
Preparing for CCPA—and mitigating the risk of penalties—is possible through steps like data mapping, third-party assessments, revamping internal privacy policies, and studiously monitoring for compliance updates. Designating a risk or compliance lead within organizations to initiate modifications to meet and maintain the CCPA standards is the ideal way to stay on top of not only CCPA but all other necessary compliance guidelines.
But, understandably, not all enterprises can assign new responsibilities or roles to me the upcoming CCPA compliance mandates. Partnering with trusted cybersecurity and compliance experts can lift the new burden of assessments, adjustments, and ongoing maintenance required for California’s privacy bill. Even businesses outside the Golden State must start evaluating their own plans to tackle heavier compliance measures. Engaging with managed IT compliance partners today will save you from scrambling to understand new policies and procedures later.
Ntirety Delivers Leading Compliance-as-a-Service Solutions
As a leading HIPAA-compliant, HITRUST- and PCI-certified service provider with 20 years of industry experience, Ntirety a trusted partner and knowledgeable resource positioned to guide enterprises through the next wave of compliance requirements with CCPA.
Through our unique Compliance-as-a-Service (CaaS) offering, organizations can take advantage of Ntirety’s compliance experts in a number of different ways depending on each individual company’s level of resources, budget, and assistance needed. Ntirety’s CaaS provides guidance from the very beginning, interpreting the often complex and frequently changing compliance requirements and identifying the gaps in current policies and procedures that could led to failing an audit. In-depth advisements help further prepare companies for risk assessments and compliance audits—and free an organization’s valuable time and resources to focus on business goals beyond complying with requirements.
Dedicated to keeping businesses secure and compliant, Ntirety provides a proven track record to help companies avoid penalties, reduce risk, optimize IT costs and enable the future-ready, agile enterprise.
Ready to find your compliance officer? Schedule an assessment to find out what Ntirety can do for your business.