On January 1, 2020 the United States’ first consumer data privacy law, CCPA, went into effect. Privacy advocates applauded progressive steps the state of California made to allow residents to consent to, and control the access, deletion, sharing and selling of their personal data by businesses. However, similar to the implementation of GDPR, Europe’s 2018 sweeping consumer data privacy laws, CCPA has caused a lot of confusion and missteps by organizations attempting to ensure compliance with the new legislation. Are you making any of these 7 mistakes?
1. Assuming the CCPA Data Privacy Law Doesn’t Apply to Your Organization
While it’s called the California Consumer Privacy Act, even if your business is not based in California, CCPA can still apply to your organization. How can you know for sure? If your organization collects data on consumers or workers in California AND meets one of the following criteria, you’re obligated to comply with CCPA regulations:
- Your business has gross annual revenues of over $25 million USD.
- Your business possesses personal data of over 50,000 consumers, households or devices.
- Your business earns more than half of its annual revenue from the sale of consumers’ personal information.
2. Not Reading the ACTUAL CCPA Data Privacy Law
Yes, it’s boring to read long legalese. But how can you ensure compliance with new legislation you’re subject to if you don’t understand the scope of what the law requires? In addition to reading CCPA as it stands today, it’s also good practice to regularly revisit the law’s documentation as modifications can occur, especially during the early stages of its implementation. To stay up-to-date, check out the CCPA page of the California Attorney General’s website. There is also an option to subscribe to a CCPA newsletter to stay current on what’s happening with this new law.
3. Limiting Compliance to Select Departments Within Your Organization
While it’s clear that IT and operations teams are heavily involved in ensuring data security, data compliance is a cross functional effort and should not be siloed. Arguably, what drove the creation of CCPA and other data privacy regulation to begin with is the explosive volume of business data users. With the digital transformation well underway, almost all departments and various levels of employees and contractors need to use business data to drive decisions. And much of this data includes personal information about consumers. Anyone who handles sensitive personal information is a potential compliance risk for your organization. To mitigate these risks, at minimum, all department leaders should be aware of, and educated about CCPA. Furthermore, they should actively work on adjusting processes and activities to prevent CCPA compliance violations. Examples include sales managers informing sales reps of how they should and should not share customer and prospect data during the sales process, or general managers implementing user behavior monitoring software to mitigate accidental or malicious data theft.
4. Only Offering One Method for Data Access and Deletion Requests
While it may seem sufficient to provide contact information for consumers to assert their Right to Know or Right to Delete rights under CCPA, the law actually imposes strict requirements on this process. You need to provide a minimum of 2 methods for data inquiry or deletion requests to be CCPA compliant, and one of those methods must be a toll-free phone number. For businesses that have a website (and who doesn’t in 2020?), a webform for such requests is also required. In addition, web requests must include a two-step authentication process to be compliant.
5. Having an Undefined Strategy Around Data Privacy and Compliance
Under CCPA, businesses must provide explicit notice about its data policies to consumers at the time of, or before, data collection occurs. Unlike GDPR, which requires businesses to provide an explicit “opt-in” consent for personal data collection, CCPA requires businesses to provide “opt-out” consent which allows consumers to control the collection, use and sale of their data.
Businesses are also required to confirm receipt of a consumer’s Right to Delete or Right to Know request within 10 days of the request’s submission. In addition to confirming receipts of requests, the requests actually need to be processed. What does data destruction look like? Your organization will have to define what this process entails and who should be involved to ensure compliance with CCPA.
Need a starting point? Check out this on-demand webinar on how to get started assessing data compliance risks and explore easy solutions for you to quickly demonstrate compliance.
When designing your compliance strategy, many aspects need to be taken into consideration including technical processes, legal review, communication and documentation (both internally and to the consumer). In some instances your company will not need to comply with a consumer’s data deletion request, for example, if that information is necessary for security or for the core operation of your service. We recommend consulting with your legal counsel to determine which data use cases are exempt from CCPA.
Another interesting aspect of this law is the “right to non-discrimination” clause. Specifically, businesses cannot intentionally or inadvertently penalize consumers for exercising their privacy rights under CCPA. This can include consumers losing access to special promotions and discounts or experiencing any other disadvantages as a result of not providing their personal information to a business. Accordingly, it would make sense to ensure, at minimum, that your organization’s sales and marketing programs are also CCPA compliant.
What is personal information? Taken directly from CCPA, personal information is broadly defined as “information that identifies, relates to, describes, is capable of being associated with or could reasonably be linked directly or indirectly with a particular consumer or household”. Again, we recommend consulting with your legal counsel to ensure you understand which data you collect and own could be subject to CCPA’s personal information definition.
6. Failing to Keep Records in Preparation for Audits
So, you have your internal CCPA compliance processes in place, you offer at least two methods for consumers to make data requests, and your staff is educated on the law. All set, right? Not so fast. In order to prove your compliance, you’ll need to keep detailed records in preparation for audits. Not only is this good business hygiene, it is also an explicit requirement of the law. Specifically, CCPA dictates that businesses must maintain records of consumer data Right to Know or Right to Delete requests, and the company’s response, for a minimum of 24 months after the request is processed or denied.
7. Thinking Noncompliance is an Option
Weighing the tradeoffs between security and costs is an everyday issue for most businesses. However, when it comes to meeting the requirements of data privacy laws, no company can afford to not have a data privacy compliance program in place.
Even if your company does not meet the requirements to be subject to CCPA accountability, being data compliant is a smart business decision. Data compliance isn’t just about avoiding violations and fines, it’s about building trust with your customers and protecting your brand’s reputation. Don’t know where to start? Sign up for a free ActivTrak account and in minutes you’ll have access to tools and safeguards that help you assess risks, prevent unauthorized access to personal information, secure data and demonstrate compliance.
ActivTrak is a workforce productivity and analytics software company that helps organizations understand how and what people do at work. Named “Editor’s Choice” by PCMag, our cloud-based user activity monitoring platform provides contextual data and insights that enable businesses to be more productive, secure, and compliant.