Key Steps to Comply with the California Consumer Privacy Act (CCPA)
In the year 2018, there was a major milestone achieved in terms of consumer data protection. The General Data Protection Regulation (GDPR) was signed into law. However, it wasn’t the only consumer privacy bill. The California Consumer Privacy Act (CCPA) was signed by Governor Jerry Brown and was aimed at controlling how businesses in California obtain and share their consumer’s personal information.
Even without a physical location in the state of California, the CCPA might still apply to you. To help you be compliant with its provisions, the experienced team as Ethyca has compiled a few measures to serve as a guide.
Determine whether the CCPA applies to your organization
Not every organization needs to comply with the provisions of the CCPA. The act has provided a threshold that a business can compare against:
- Gross annual revenues greater than $25 million
- Organizations that buy or sell personal information of 50,000 or more consumers, households or devices.
- Businesses that derive 50% or more of their annual revenue from selling consumers’ personal information.
Once you determine that your business meets the threshold set by the CCPA, you can continue checking against the other measures in the article.
Mapping out your data flow
The next action that you should take is to map out your consumer data. Key questions that you should ask yourself include what personal data you collect, what are your data collection methods, the different forms of storage, and with whom do you share the data you have collected.
Data mapping allows you to know how your business collects and uses consumer information. This will allow you to be responsible for how you and other third-party vendors use the data.
Similar to the GDPR, you will have to include privacy disclosures on your website. Virtual visitors will be informed of your data collection procedures and can choose whether to agree or decline with the information your organization seeks to collect.
Privacy disclosures will also reveal if the information will be shared with other third parties and also the purposes of the information.
The CCPA empowers customers/visitors to make requests when it comes to their personal data. The act states that the organization in question needs to provide an answer within 45 days, free of charge. Due to the technicality of the matter, you will need an in-house team that can handle such requests from your clients or visitors.
Lack of compliance with CCPA provisions qualifies as violations. There is a CCPA enforcement body that will fine you anywhere from $2,500 to $7,500. Lawsuits are also a possibility where a consumer feels that their personal information has been breached.
To avoid such a scenario, it is encouraged that all your team members are cognizant of the CCPA rules. You should hold intensive training sessions that cover the CCPA provisions, their application to customers, and the response of the organization to inquiries made by the consumer.