Wednesday, September 30, 2020
Complying with the California Consumer Privacy Act

Complying with the California Consumer Privacy Act

The California Consumer Privacy Act of 2018 (CCPA) gives California residents more control over their personal information that businesses collect about them. The CCPA took effect on January 1, 2020, and final regulations for the statute were approved on August 14, 2020. Enforcement of the CCPA by the California Office of the Attorney General has begun and affected business not in compliance can be fined up to $2,500 per violation or $7,500 for each “intentional” violation.

Who has to Comply with the CCPA?

For-profit businesses doing business in California that collect and control California residents’ personal information must comply with the CCPA if they meet one of three requirements: (1) have annual gross revenues more than $25 million; (2) possess the personal information of 50,000 or more consumers; or (3) earn more than half of its annual revenue from selling consumers’ personal information. For further information about affected employers, see our previous article on the CCPA.

Compliance Strategies to Minimize Enforcement Risk

Businesses required to comply with the CCPA should consider several actions to avoid the risk of enforcement by the attorney general’s office:

  • Update existing privacy policy with information on how, why, and what personal information is collected and processed
  • Update existing privacy policy with information on how users can request access, change, or erase their personal data
  • Introduce a method to verify the identity of the person making requests to access or change their data
  • Introduce a “Do Not Sell My Personal Information” link on their home page to allow users to prohibit the sale of their personal data
  • Obtain consent from minors 13-16 years old before selling their personal data and obtain consent from parents for minors younger than 13

Responding to Consumer Requests and Protecting Personal Data

As more and more companies shift to remote work and digital systems, compliance with the CCPA has become more critical, and for some, burdensome. Companies with limited resources that are struggling to create remote work policies and procedures inside the office are now faced with the challenge of managing data beyond the office. It is important to note that under the CCPA, the California attorney general can also take enforcement action against a business for failing to respond to consumer requests to view or delete personal information, as well as for an unauthorized sale of a consumer’s personal information (or sharing of that data).

Avoiding these compliance pitfalls may require using artificial intelligence and implementing digital tools. Here’s how companies can adapt to CCPA requirements.

Look to analytics and automation technologies to meet consumer and auditor requests efficiently and affordably. Under the CCPA, consumers may request a copy of the data categories being gathered or for their data to be deleted. This is where digital solutions can come in handy. Virtual assistants can help employees ensure that requests are addressed by identifying which consumers have a higher compliance risk and placing them into an automated workflow. Furthermore, analytic tools can make it possible to identify all requests mentioning certain key words, such as “CCPA,” “personal information,” “remove,” or “disclose.” Such tools can ensure efficient and reliable compliance with consumer or auditor requests.

Ensure that third-party partners who collect consumer data are compliant with CCPA requirements. For companies that fail to store consumer data in one central location, they may find it harder to comply with CCPA regulations. Such companies often give third-party providers access to consumer data. In these scenarios, companies should make sure that the third-party providers themselves are compliant with the CCPA.

During these times especially, the CCPA has taken on a new urgency and this is probably just the beginning of the era of consumer data protection.