Preparing for the California Consumer Privacy Act: Avoid the Landmines & Learn from GDPR

Written by

When GDPR went into effect one year ago, it was clear companies were not ready and reports show that many companies still aren’t GDPR compliant, and half of companies self-reported missing the May 25th 2018 GDPR deadline — most having taken seven months or longer to reach compliance.

Companies and consumers alike have become more sensitive to how data is collected, processed and stored, and the regulations show no sign of slowing down. Recent data breaches that have occurred over the last 12 months means more personal information is on the dark web and available for purchase — and consumers care more about privacy as a result. These breaches have helped fuel account takeovers, which tripled in 2017, and they are still an emerging threat. While the attention is currently on GDPR, there is an upcoming regulation as the US follows in the footsteps of the EU — the California Consumer Privacy Act (CCPA).

When the CCPA goes into effect New Year’s Day 2020, it’s expected to be the strictest data privacy law in the US and will set the tone for other states looking to protect consumer privacy. It’s not just a California initiative — this regulation impacts any company that collects personally identifiable (PII) data online from California consumers. The CCPA is the first step toward the US adopting GDPR-like measures with wide-reaching impact.

The California Consumer Privacy Act was created to protect the privacy and data of consumers. The CCPA is intended to give Californians the who, what, where and when of how businesses handle consumers’ personal information. After January first, the CCPA affords California residents an array of new rights, starting with the right to be informed about what kinds of personal data companies have collected and why it was collected.

Among other protections, the law stipulates that consumers have the right to request the deletion of personal information in a “readily usable format” that enables its transfer to third parties without complication. A key area where there is significant confusion is how to verify the requests companies will receive.

This means for-profit companies around the world have to comply with CCPA if they receive personal data from California residents and if they — or their parent company or subsidiary — exceed one of three annual thresholds: the company has gross revenues of $25 million; the company receives, sells or shares information of 50,000 or more California residents or devices; or the company derives 50 percent or more of its revenue from selling consumers’ personal information.

The CCPA, combined with GDPR, pose significant challenges and companies need to be preparing now in hopes of meeting the Jan. 1, 2020 deadline. When preparing for the CCPA, companies will need to implement the following procedures in order to meet the requirements:

  • Right to Access: Organizations subject to the CCPA must honor consumer requests regarding the right to access their personal information.
  • Right to Delete: Organizations subject to the CCPA have an obligation to honor consumer requests regarding the right to delete their personal information.
  • Right to Opt Out: Organizations subject to the CCPA need to provide a clear and conspicuous link entitled “Do Not Sell My Personal Information” on their website and in their privacy policy by Jan. 1, 2020.
  • Children’s Information: Organizations subject to the CCPA can’t willingly disregard the consumer’s age in order to proclaim they did not have the knowledge of dealing with a child’s information.
  • Privacy Policy: Organizations subject to the CCPA are required to disclose the categories of consumers’ personal information collected and the purpose regarding their collection and later usage. In addition, organizations that sell personal information are required to notify such consumers about the probability of their information being sold and their right to opt out.
  • Process for Consumer Authentication: While data privacy is at the heart of CCPA, companies need to ensure that they’re only releasing data to the actual account owner, and not a fraudster posing as a legitimate user.

According to a survey conducted by Compliance Week, 45% of compliance professionals surveyed said they are “working on a preliminary plan,” while another 26% said they have not started at all. Only 15% said their plan is “well underway,” and 13% said that while they have a plan in place, nothing has started. Failure to address an alleged violation within 30 days could be detrimental to a company. It could lead to a $7,500 fine per violation, which could be per record or customer file.

Companies are taking a big risk by not having a plan underway or in development. Based on incident response time under GDPR over the past 12 months, companies may have trouble locating, collecting and deleting consumer data across their infrastructures.

Furthermore, as companies explore how to achieve compliance with the CCPA throughout the remainder of 2019, it will be important for companies to be prepared as consumer requests come through.

Companies must be ready to equip customers with a complete list of personal data collected, understand how that data was collected and stored, manage consumer requests for deletion of personal data and have a process in place to easily delete personal data — if requested. If companies use a third party, this means knowing where the data exists within the vendor as those vendors will also need to be ready to comply with the CCPA.

In addition, companies must also implement a policy against re-selling consumer data without prior acknowledgment, must store PII data securely and have a predetermined data retention policy in place to assure the timely deletion of data, and have the ability to manually override retention policies and have consumer data deleted upon written request.

Companies of all types are still grappling with the nuances of GDPR compliance and the regulations are far from over. Data breaches continue to occur on a consistent basis and consumers are now more aware — and sensitive — to how their data is collected, used and monetized, and the power is shifting back into consumers’ hands.

While GDPR laid the foundation, stricter laws are on the horizon with the CCPA and the anniversary of GDPR is a good reminder that there is a long way to go. January 1st will be here before we know it and preparation must begin now in order to be ready.

What’s hot on Infosecurity Magazine?