What are CCPA Regulations?
CCPA extends as California Consumer Privacy Act. It acts as a administration which guides the businesses about the ways to inform the consumers about their rights, how to handle consumer requests and provide privacy rights to residents of California. CCPA (California Consumer Protection Act) went into effect January 1, 2020 and is now being enforced as of July 1, 2020. Let’s walk through if your organization qualified for this regulation and how you can prepare for it:
What are CCPA Requirements?
1- $25m of Revenue
The $25 million revenue threshold applies to the business’s global revenue, not just revenue earned within California.
Confusion and Clarification
As mentioned, the statute does not limit this revenue to California, and the Attorney General’s office has declined to clarify. As such, even businesses with a smaller presence in California but a global revenue exceeding $25 million may still fall under CCPA jurisdiction.
2- 50,000 California Consumer Records
Definition of Consumer
The CCPA defines “consumers” as California residents. This means that the 50,000 threshold applies to records relating to California consumers, households, or devices only.
What Constitutes “Receives”
The lack of clarity around what “receives” means has led to a conservative interpretation. Any action related to obtaining, storing, or using 50,000 or more California-related PI records may bring a business under CCPA jurisdiction. This includes both direct and indirect interactions with personal data.
Type of Information
This extends to various types of personal information, such as names, addresses, email addresses, Social Security numbers, and other personal identifiers.
3- Personal Information Sales
Threshold for Compliance
A business falls under CCPA if it derives 50% or more of its annual revenues from selling California consumers’ personal information.
Definition of “Selling”
The term “selling” is broadly defined in the CCPA to include renting, disclosing, disseminating, making available, and other actions related to personal information, provided that it’s for monetary or other valuable consideration.
Obligations for Sellers
Businesses that meet this criterion have specific obligations under the CCPA, such as providing a “Do Not Sell My Personal Information” link on their website.
How to Prepare for CCPA?
Step 1: Commit to a Cybersecurity Program
Action: Proactively engage in a cybersecurity program that secures Personally Identifiable Information (PII) and prevents data breaches.
Rationale: Building robust cybersecurity measures is not just about compliance but also about the overall protection of sensitive data.
Step 2: Obtain Board-Level Support for CCPA
Action: Secure support from executives and board members.
Rationale: Such support helps bridge the business and technical aspects of the organization, aligning efforts, and minimizing potential gaps in compliance.
Step 3: Conduct a Gap Analysis
Action: Assess your current state of compliance and identify areas that need improvement.
Rationale: This allows you to prioritize your efforts and resources effectively to ensure CCPA compliance.
Step 4: Inventory Assets and Map Data Flow
Action: Maintain a detailed inventory of all assets and create a comprehensive map of data flow within the organization.
Rationale: Understanding where and how personal information flows are essential in implementing proper controls.
Step 5: Create Policies, Procedures, and Processes
Action: Develop and document specific policies, procedures, and processes to manage CCPA compliance.
Rationale: Having a clear framework is critical to consistent and effective data management.
Step 6: Implement a Security Program or Partner with Experts
Action: Either implement a security program to secure personal information or partner with specialized firms like Cyber Defense Group.
Rationale: Expert guidance or robust internal programs can ensure that the particular requirements of CCPA are adequately met.
Step 7: Ensure Employee Communication and Training
Action: Implement proper communication channels and training programs related to CCPA for all relevant staff.
Rationale: Compliance is a team effort, and employees at all levels must understand their roles and responsibilities.
Step 8: Monitor and Audit Regularly
Action: Implement a regular monitoring and auditing program, including annual assessments.
Rationale: Regular checks ensure that compliance efforts are sustained and effective, allowing for timely adjustments as needed.