As goes California, so goes the nation. Therefore, it is not surprising that the first state in the union to create a law to protect citizen privacy is California.
The California Consumer Privacy Act (CCPA) will take effect on January 1, 2020. With the New Year, businesses that meet the threshold for CCPA compliance must take additional steps to protect the privacy of Californians by honoring several rights, including the Right to Access, Right to Know, Right to Opt-Out, and Right to Deletion.
With the effective date quickly approached, here’s how to prepare for CCPA compliance.
Does CCPA Apply to Your Company?
CCPA defines covered entities as those doing business in the state of California and that satisfy one or more of the following thresholds:
- Gross revenue in excess of $25 million
- Receives personal information on 50,000 or more consumers
- Derives 50% or more annual revenue from selling consumers’ personal information
This begs the question: if your business isn’t located in California, do you have to comply with CCPA requirements? If you do business over the Internet and meet one of the thresholds, the answer is likely yes. Also, as many as 11 states have privacy regulations in the works so, even if CCPA does not immediately impact your business, the extended ripple of data privacy expectations across the nation most likely will. Here, ramping up for CCPA will aid compliance with other state privacy laws and even a federal privacy law.
The particular challenge with CCPA is that it is more expansive than many realize.
Privacy’s Pandora’s Box
What makes CCPA challenging is it isn’t just about compliance. It’s a regulation that also opens up organizations to multiple areas of risk due to the reach of the requirements. As a result, CCPA impacts processes for IT, information security, third parties, identity management, vulnerability remediation, and incident response.
Delivering on consumer rights like opt-out and deletion isn’t just about communicating intent.
In meeting requirements for CCPA, you must per the regulation: “detect security incidents; protect against malicious, deceptive, fraudulent, or illegal activity; or prosecute those responsible for that activity. Also, debug to identify and repair errors that impair existing intended functionality.” (1798.100. D2-3)
Delivering on consumer rights like opt-out and deletion isn’t just about communicating intent. You must as CCPA states: “subject to technical safeguards that prohibit reidentification of the consumer to whom the information may pertain.” (1798.100. S-3) The objective is to bring permanence to the consumer request.
Bottom line: you’ll need consumer-facing and back-office processes for protecting personally identifiable information and honoring requests from data subjects like issuing disclosures and answering consumer requests. That’s true whether the data resides with the company or with a third party.
Enlist the Right Technology for CCPA
Many companies have a multitude of technology tools in use. And most of these technologies excel at their one-off responsibilities. For CCPA requirements that are broad and encompassing, another single-purpose tool is not the answer. A risk management technology platform that manages compliance and performs integrated risk management (IRM) is ideal. Such a platform automatically integrates data from configuration monitoring and vulnerability scanners, streamlines assessments of third parties, simplifies policy management and facilitates incident response, reporting and collaboration with stakeholders.
The right platform is agile, enabling you to adapt when privacy regulations change or new regulations are enacted...
No regulation is set in stone, and it’s especially true with CCPA, which added six amendments in October. The right platform is agile, enabling you to adapt when privacy regulations change or new regulations are enacted, which is a near certainty with U.S. state or federal privacy laws. The right IRM platform lets you focus on your business, while keeping pace with new privacy regulations.
January 1, 2020 will be here soon. And with it will come the first in the union privacy regulation, and we can only expert more to follow. Take the best practice route by creating new processes and implementing the right technology that can integrate multiple risk areas and streamline privacy compliance now.