by Jess Cowle
As of January 1, 2020, the California Consumer Privacy Act (CCPA) will go into effect for all businesses that have clients based in California. CCPA was created to protect the privacy and data of consumers. The CCPA initiative is intended to “give Californians the ‘who, what, where, and when’ of how businesses handle consumers’ personal information.”
According to a recent survey, only 8% of businesses are prepared, while 56% of U.S. businesses will not be prepared by the January 1st deadline.
Obstacles to CCPA
Why are so few companies prepared? The study found that the lack of time/bandwidth and complexity of the law are the biggest obstacles to CCPA compliance.
Many companies have even extended their compliance deadline to July 1, 2020. 37% of the companies asked said they expect to be compliant after the new year and hopefully before July 2020. 9% of the companies did not have a timeline for compliance.
You Could Be Fined
Penalties will cap at $7,500 per violation. Your company could get charged $2,500 for each unintentional violation under Section 17206 of the California Business and Professions Code. The CCPA allows individuals to recover between $100 and $750 per such incident or more if the actual damages exceed $750.
What Do You Need To Do to Comply?
Follow these steps from Morgan Lewis to make sure you’re compliant before the new year.
- Determine whether the CCPA applies to your business and what data elements are collected from California consumers and for what purposes they are used.
- Consider how consumers’ personal information should be organized.
- Create a process and identify individuals responsible for preserving copies of “specific pieces of personal information that the business has collected about [each] consumer” and promptly responding to consumers’ requests for access.
- Create a documented process (including, but not limited to, a toll-free number and website address) and identify individuals responsible for responding to “verifiable consumer requests” with individualized disclosures about the business’s collection, sale, or disclosure of the personal information belonging to the specific consumer making the request.
- Create policies that reconcile CCPA’s requirement to delete data upon request with the need to preserve evidence in litigation and avoid sanctions for spoliation of evidence.
- Create a process and identify individuals responsible for deleting consumer data in response to such a request.
- Provide minors with a “right to opt in.”
- Provide training for employees on CCPA’s prescribed consumer rights.
- Review existing agreements with third parties or service providers to ensure that contracts limit the service provider’s use of personal information as strictly as CCPA prescribes, and revise as needed.
- Provide consumers the right to equal service and price.
- Create and maintain a robust incident response plan.
For more detailed information about how to comply with CCPA, we recommend the following resources:
- The official Californians for Consumer Privacy website
- Your Readiness Roadmap for the CCPA (PwC)
- California Privacy Law, Third Edition
Need help with CCPA compliance on AWS or Azure? Logicworks’ team of engineers can help you build, automate, and monitor your cloud for compliance. Contact us to learn more.