The California Consumer Protection Act (CCPA) is hailed as one of the county’s most comprehensive data privacy bills. It controls the collection and selling of both physical and digital data. According to the initiative, the CCPA will “give Californians the ‘who, what, where, and when’ of how businesses handle consumers’ personal information.”
The CCPA goes into effect on January 1, 2020, with enforcement beginning July 1 or earlier. Don’t be caught unprepared. It’s time to prepare your website now with these seven steps.
- Determine if your company is affected by the CCPA. The general guidelines state that businesses with over $25 million in annual gross revenues; that receive or share personal information for 50,000 or more consumers, households or devices; or that derive more than half of their annual revenues from consumer data sales will need to adopt the CCPA guidelines. There are exceptions to the above list, but it’s better to be ready.
- Take stock of what data you are already collecting. Since the act encompasses previously uncontrolled data, you’ll want to know any changes you need to make. Obvious data includes names, addresses, and driver’s license numbers, but beyond things that are obviously data, ‘inferred’ data is also included. This includes profiles you build about customers based on their preferences and purchases. You’ll also need to review the data you’ve been collecting from customers under the age of 15. CCPA includes additional consent requirements that are in line with the federal Children’s Online Privacy Protection Act.
- Assess your current data security practices. The CCPA boosts liability exposure and links it to statutory damages in case of a security breach if your business does not provide “reasonable security” to their customers’ data. While businesses are given 30 days to take care of violations before they face consequences, it’s best to not be in the situation to begin with.
- Figure out a plan to handle customer requests. The CCPA allows customers to ask for information related to their personal information. Having a process in place to fulfill their requests in a timely manner will help you be compliant with the requirements.
- Research how you share information with other businesses and entities. CCPA means that customers can opt-out of sharing their information or allowing you to sell it. Be prepared to examine any regular transfer of information you make that might be considered a “sale” of information. Keep in mind that affiliates (but not parent companies or subsidiaries) may be considered separate businesses, making them require the same opt-of for your customers.
- Research contracts with vendors and public disclosures. Vendors must have specific language included that matches the new provisions in CCPA, and you may need to amend those contracts to be in compliance. You’ll also want to look at disclosures to make sure they include information about the customers’ rights to opt-out of sales of their information or delete or access their information.
- Consider options for ways to modify your services for customers who do choose to exercise their new rights. As per CCPA, you cannot discriminate against any customers who do so, but you may choose to offer incentives to encourage customers to continue sharing their data. Look at any existing data collection you do through incentive plans and see if there are any changes you can make or if you can create new plans.
Don’t forget that the CCPA will likely change over time. It’s possible that there will be changes based on federal laws and other legislative changes or additions. Make sure you’re not missing out on any necessary adjustments or deadlines you’ll need to adhere to.