CCPA Compliance Checklist - Is your business ready?

CCPA Compliance Checklist – Is your business ready?

With the world moving towards digitization, organizations have a customer base from all around the globe. More consumers mean more data to handle and higher threat of data breach. Protecting consumer’s personal data is one of the biggest challenges for businesses. Taking into account the increasing trend of data breaches and unauthorized access to user data for target marketing is driving the attention of regulatory authorities.

Previously, General Data Protection Regulation (GDPR) came into effect in May 2018 to ensure that how websites and organizations are allowed to collect, handle and process personal data of consumers, it can be anything from names, addresses, browser history to financial data and many more. 

California Consumer Privacy Act (CCPA)

GDPR compliance has paved the way for new consumer privacy initiatives known as California Consumers Privacy Act (CCPA) which came into effect on January 1, 2020. While GDPR is more of a “privacy by default” and “valid consent from consumers” legal framework for the entire EU, CCPA is about “creating transparency” and giving rights to its consumers in California’s huge data economy. 

According to AB 375 of CCPA, every California consumer is given a right to see all the personal information that a company or organization has saved on them. Moreover, it allows consumers to demand a full list of all third parties with whom data is shared. In case if the companies violate the privacy guidelines, consumers have the right to sue them, irrespective of a data breach.

This definition is clearly broader and complex than GDPR as it lists a wide range of standard examples. For instance, social security number (SSN), purchase histories, browser histories, drivers’ license numbers, and other “unique personal identifiers” like geolocation & device identifiers and online tracking technologies. However, it excludes the publicly available information such as tax data from the central registry or government records.

What does CCPA means for business?

The CCPA already effective from January 1, 2020, has a significant impact on the corporate privacy policies across technology, media and entertainment, and telecommunications (TMT) industries. Many brands across the United States largely avoided GDPR. Despite, the emerging privacy concerns among consumers and global regulations are core drivers around data privacy mobilization across TMT industries.

The CCPA compliance is obligatory for all the businesses and companies dealing with California residents and possessing at least $25 million in annual revenue. Additionally, the businesses that cater to personal data of at least 50,000 people, regardless of their size, also fall under obliged entities. To be obliged by CCPA, companies don’t have to have a physical existence in California, in fact, they don’t even have to be in the United States.

CCPA is considered one of the strictest privacy laws in the United States. It forearms California residents to monitor and control how businesses process their personal data. It means now the organizations have to pay homage to the requests from consumers to access, delete and even opt-out of sharing or selling their personal information. Taking into account such CCPA-specific requirements, organizations and businesses need to update their privacy programs and stop selling data on consumer’s requests.

Last year in April, an amendment was made in the law that exempts “insurance institutions, agents, and support organizations” since they are already subjected to another similar regulation under California’s Insurance Information and Privacy Protection Act (IIPPA). Moreover, it also excludes medical or health information collected by a person or entity governed by California’s Confidentiality of Medical Information Act or Health Insurance Portability and Accountability Act of 1996 (HIPAA).

Risks associated with third-party services

CCPA compliance holds a very significant challenge for businesses because of the involvement of third-party policies. Being the obliged entities, working with third parties is crucial for organizations. They are held responsible for whatever those third parties do with their data. 

Under CCPA, the organizations that collect or process the personal data of consumers are liable to keep the data private and protected under any circumstances any number of third parties such as service providers or external vendors performing marketing, verification, or billing, etc., potentially gathers the organization’s data.

Businesses need to consider a comprehensive audit to determine which third-parties are collecting, processing or storing consumer’s data on their behalf. Upon identifying, the organizations need to make amendments in policies and contracts to achieve CCPA compliance.

CCPA Compliance Checklist

With the introduction of CCPA, the increased disclosures have become a fundamental part of businesses subject to new compliance. The organizations need to develop detailed privacy notices to present consumers when their data is collected. Moreover, they need to publically disclose the consumer’s right under CGPA. 

Here’s a CCPA compliance checklist that defines a roadmap for companies to meet the CCPA requirements.

  • Know if CCPA applies to your business

The most important thing the businesses need to do for being compliant with CCPA is to first determine if they lie under obliged entities or not. CCPA law has mentioned certain criteria for an organization to be obliged by the law and some exemptions.

CCPA Compliance Checklist

  • Review Personal information collection

To be compliant with CCPA, it is essential to figure out what personal information your organization/business is collecting from the consumer. The collection of the data is in fact, the fundamental of CCPA. Many times, the organizations are not fully aware of the type of data they are collecting from a user. For instance, the IP address of the consumer, which also falls under the definition of CCPA personal information.

  • Map data relationships

According to the California Consumer Privacy Act, the customer has the right to know what data is collected and for what purpose. To successfully meet this demand, companies need to develop data maps that clearly show the scope of personal information being collected, processed and stored. Moreover, it is mandatory to describe how the data is used internally and whether it’s sold or shared with third parties, if so then for which purpose.

  • Review policies for handling information

CCPA law intends to improve the way organizations handle consumers’ personal information. This requirement is driving organizations to review their existing policies and procedures first. For instance, what procedure would they follow if a customer requests to delete his data?

Let’s say the company follows the parallel topology of storing data which means other than server the data is stored in the systems as well. It means deleting data from the server isn’t going to be enough, the procedure has to be revised.

  • Update organization’s privacy policy

Updating the company’s privacy policies is a mandatory part of CCPA. These policies are for customers to describe in detail what data the organization is collecting and its purpose of collection. As per CCPA, the policies must include the following three things

  1. Consumer rights – describing what control a customer has over his collected information
  2. What is collected – describing what personal information is collected from the consumer side.
  3. How information is used – informing the customers that how the collected information will be shared i.e. for business purposes or selling to external vendors.

These three points must be described in detail in the company’s privacy policy.

  • Prepare for consumers’ opt-out and deletion requests

With CCPA allowing customers to go for opt-out and deletion requests, they are definitely going to use their right. To accommodate such requests, organizations have to be prepared. Dealing with consumers’ requests manually is not effective. Setting up an automated system to facilitate companies with delete and opt-out requests is the need of the hour. 

For this, it is recommended to come up with a procedure for consumers by which they can request a copy of their data and data deletion.

  • Review third-party contracts and conduct audits

California Consumer Privacy Act puts a bigger responsibility on the organizations to keep track of the third-party collection of consumers’ personal data. In case of any violation, the company is held liable. Therefore, to avoid such situations in the future, companies need to revise their contract with third-party companies and service providers using customers’ personal information. 

Just reviewing contracts isn’t enough, but the organizations need to conduct regular audits for the service providers having access to the data to know if there’s any loophole or threat.

  • Review security protocols and implement data encryption policies

Data privacy is the base of CCPA law and it means protecting consumers’ data by every means including data breaches. That’s why reviewing security protocols and implementing data encryption is equally essential for the companies to be compliant with CCPA laws.

  • Employee training regarding CCPA

Employee training regarding new company policies, data handling, and privacy laws is the core responsibility of an organization. Employees must receive in-depth training on every part of the California Consumer Privacy Act especially the ones that are directly applicable to their job roles. 

The violation of the CCPA law can have stiff penalties and fines, therefore, companies need to be vigilant in developing new policies and procedures to comply with regulations.

Find more relevant resources:

CCPA Compliance Checklist

ccpa in effect mozilla

CCPA in effect – Mozilla firefox will let users delete their collected data

The California Consumer Privacy Act came into effect on Wednesday, Jan 1. Being obliged by the new privacy law, the maker of Firefox web browser Mozilla announced that to give more control to users over their data.

CCPA provides California residents the right to know what personal data is being collected by the companies and for which purpose. Moreover, the users have the right to ask the companies to delete their collected data. According to Mozilla, the changes it is making won’t be just for California residents, but all Firefox users. 

These new changes will be applicable to the release of the new browser version, which is scheduled for the coming Tuesday, i.e. January 7 as written by Mozilla in its blog post

“In line with the work we’ve done this year to make privacy easier and more accessible to our users, the deletion control will be built into Firefox and will begin rolling out in the next version of the browser on January 7. For Firefox, privacy is not optional. We don’t think people should have to choose between the technology they love and their privacy. We think you should have both. That’s why we are taking these steps to bring additional protection to all our users under CCPA.”

Though Firefox doesn’t collect any data of the users form visited websites or search queries, it let users delete telemetry data (e.g. session time or the number of tabs opened). This data is collected just to improve the performance and security of the browser. 

Since it is not worth to create two separate interfaces and policies for the browser’s users in different states, companies may follow suit of Mozilla, including Microsoft. Moreover, other states have also started considering laws similar to CCPA which may be applicable in the near future and could extend beyond California.

 

CCPA: A Real Roller Coaster for Business Entities

CCPA: A Real Roller Coaster for Business Entities

One huge change in 2020 is the new data privacy law called the California Consumer Privacy Act or CCPA, which is effective from January 1st, 2020. Its results are expected to have impacts far beyond California State.

The CCPA is considered as Calfornia’s equivalent of Europe’s General Data Protection Regulation (GDPR). Signed by Governor of California in 2018, the CCPA grants California residents new online privacy and consumer protection. Even if you aren’t a resident of the Golden State, it may affect you.

What is CCPA and What it’s going to do?

This Act is going to give residents of California the right; to know what personal data is being collected on them and for what purpose is their data is used, who the data is sold to or shared with. They will also have the right to request that their data is not sold to third parties and could be deleted if requested. Furthermore, it also gives citizens the right to access their data collected online.

You may already have come across the impacts of CCPA in the form of the new privacy policy on different websites as they prepare for the implementation of this law. Even though the consumers will not notice a major difference daily, it has a great impact on businesses. The law completely changes how companies will treat customer data.

Even if your business doesn’t have a physical presence in California but you conduct business with residents of the state, then the CCPA may affect you too. While the CCPA is California’s state law, customers and businesses all across the united states will likely benefit.

Most businesses won’t want to deal with the extra overhead of applying to different privacy rules; one for California and one for the rest of the country. Just like the GDPR isn’t directly applicable to non-European countries, it paves the way for new data protection regulations across the globe. CCPA it’s self is inspired by GDPR and will now likely serve as an inspiration for other such laws.

Businesses Affected by CCPA

CCPA will affect the businesses selling products or rendering services to the residents of California. If your company buys or sells data on at least 50000 California residents each year, you are obliged to disclose to those residents what you are going to do with their data and they also have the right to not sell their data.

Moreover, companies generating revenue equivalent to, or more than $25 million or get 50% or more of their annual revenue by selling customer information are affected by the CCPA.

Firms that need to Comply with CCPA

Businesses operating online and collecting any sort of customer data needs to comply with CCPA. Following are some businesses that must comply with CCPA regulations:

Identity Verification Services

As identity verification requires sensitive identification data on customers, the verification services are most vulnerable to data breaches and need to place stringent checks on how to protect customers’ data. CCPA requires that all identity verification services implement their privacy policies amid Califonia Consumer Privacy Act.

Social Media Platforms

Being an important part of customers’ online journey, social media is a preferable platform for targeting the audience of interest. Different social media sites are used to advertise products and services and data available on social media platforms, even though mostly unstructured, contains sensitive information. Mostly personal data from social media platforms are bought and sold without prior user consent and which is why CCPA is going to affect social media platforms.

Are Businesses Ready for California’s New Consumer Protection Act?

As with GDPR, no one’s certain about what it means to be compliant with CCPA. With the start of a new decade, the law is in effect and it looks like consumers, businesses and even the regulatory authorities in California are not ready. Draft regulations for enforcing the act is still to be finalized at the state level.

Despite a lot of concerns before it’s official adoptions last year, GDPR went smoothly at least swifter then what was expected but the CCPA is likely to be a greater compliance challenge. Being the United States’ first data privacy law that gives customers control over their data, the CCPA is expected to create a lot of uncertainties.

Most online companies view the CCPA as being in their long term interest as it’s the first step towards data privacy. The companies, however, are not quite sure whether the law is comprehensive enough to cover all the data protection aspects and deal with all the challenges faced by firms and customers online.

Anyhow, California’s Attorney General says that even though widespread enforcement of CCPA isn’t likely until July, companies shouldn’t consider the first six months as a grace period. He further said, “We are going to help companies understand our interpretation of the law.”

Seeing the hesitations and all the uncertainty built around the implementation of CCPA, businesses consider it to be a real roller coaster ride for both the regulators and the firms that aim to comply with CCPA.   

Initial CCPA Compliance Costs Could Hit $55 Billion

Initial CCPA Compliance Costs Could Hit $55 Billion: Report

According to an economic impact assessment prepared for the state attorney general’s office by an independent research firm, California’s new privacy law could cost companies a total of $55 billion to get in compliance. Total CCPA compliance costs are likely to vary considerably based on the type of company, the maturity of the businesses’ current privacy compliance system, the number of California consumers they provide goods and services to, and how personal information is currently used in the business.

CCPA provides sweeping privacy protection to California’s residents. It includes a provision that will allow consumers to know what data companies are collecting on them. The bill grants rights to California residents to be informed about how companies collect and use their data, and allows them to request their personal data be deleted, among other protections. It represents the start of a new era of privacy laws designed to protect personal data, says Kelsey Finch of the Future of Privacy Forum. CCPA’s section gives consumers the right to delete personal information from the company’s database. 

CCPA Affecting Businesses :

CCPA will affect three types of businesses based in California:

  • Companies that have gross revenue of at least $25 million.
  • Companies that buy, sell and share the personal information of 50,000 or more consumers, households or devices.
  • Companies that get 50 percent or more of their annual revenue from selling consumers’ personal information.

By estimates, companies with less than 20 employees have to pay $50,000 for compliance. Large companies having more than 500 employees will have to pay an average amount of $42 million. This will make up for 1.8% of California Gross State Product. According to a report, total compliance costs for the companies subject to the law could range from $467 million to more than $16 billion over the next decade.  Researchers estimated that as many as 75% of California businesses earning less than $25 million in revenue would be impacted by the legislation. States have begun to take efforts for privacy legislation. Facebook CEO Mark Zuckerberg advocated for creating a nationwide policy in this regard. Cost and complications will be lessened by setting one legal standard for tech firms than a piecemeal approach to compliance. 

Since many businesses in California that operate in Europe had to make changes to comply with the GDPR which went into effect last year, CCPA has taken some elements from GDPR. The research suggests that the compliance costs for California’s law will be reduced this way. The EU estimated average incremental compliance costs for the GDPR would total about 5,700 Euros a year (nearly $6,300), according to the report, though there is also evident that the regulation lost productivity in sectors that rely heavily on data. Smaller firms are likely to take on a disproportionately larger share of compliance costs compared to larger firms with GDPR.

CCPA- An Inherit Part of GDPR:

Over a year after the introduction of the GDPR, concerns regarding its impact on larger firms appear to have been overstated, while many smaller firms have struggled to meet compliance costs. Resources explain this dichotomy as large technology companies are often several steps ahead of both competitors and regulators. In the long term, however, it is believed that the differential impact will likely shrink, driven in part by competition among third-party services that will help small businesses comply with the legislation. 

Economic Impact on Companies:

Companies are going to face an economic impact due to CCPA. As smaller companies with less than 20 employees are expected to spend about $50,000 in initial CCPA compliance costs, while mid-sized firms with between 20 and 100 employees could incur costs of $100,000 to start, according to the study.

The expenses come at a time when companies are reaping big rewards from the buying and selling of personal consumer data. The use of personal data in online advertising is a $12 billion annual business in California. When combined with the buying and selling of information from data brokers, the number rises to $20 billion annually.

California businesses could spend an additional $16 billion over the next decade after initial compliance expenses to keep up with changes and other expenses, according to the report. Those expenses could include hefty fines for those who violate the law.

A recent report from the International Association of Privacy Professionals found that as of this summer, only 2 percent of affected businesses were fully compliant with the law.

Meanwhile, some other state legislators are using California law as a model. In Nevada, for instance, a new privacy law went into effect on Oct. 1. That law, known as Senate Bill 220, will give consumers more ways to keep websites from selling personal data.

 Businesses that need to comply with CCPA:

Following are some businesses that have huge private data that needs to be protected by CCPA:

 

  • E-Commerce:

 

Online businesses have a huge private date of which they are taking advantage. The user surfing through the internet is analyzed by AI-based products and products of their interest are shown to get him attracted. This means that user data is being used to get more sales of their desired products by advertising it. So CCPA will enhance the privacy policies of businesses across the globe. The so-called rights over consumer data will be exploited by CCPA.

 

  • AI-based Verification Services:

 

As the regulations regarding KYC and AML are becoming more stringent businesses are adopting identity verification services for their customers and for other businesses. For this, they have huge data of clients that they have to verify. Identity verification service providers have the most confidential data on hand, hence they must follow the provisions of the California Consumer Privacy Act.

 

  • Social media:

 

Social media plays a vital role in their shopping decisions. Its a platform to target audience of interest. According to a study, 87% of shoppers are satisfied with the shopping experience through social media. There are many social media marketing tools that are employed to get to the audience of interest and to improve the sales of a particular product. Businesses are aware of these tools and deploying them well. The use of these marketing products employe available information on social media platforms. Social media sites have to change their practices of selling the personal information of users to third parties. The consent of the user must be required for selling this data to a third party business.

So, businesses need to comply with CCPA for the protection of private data of consumers. Since many California businesses had to comply with Europe’s General Data Protection Regulation last year, some of the compliance costs for the new state law will likely be reduced, according to the report’s authors. Many businesses need to comply with CCPA to mitigate the risk of a data breach. The law will go into effect on Jan. 1, 2020.

California Consumer Privacy Act How it will impact Your Online Business

Impact of California Consumer Privacy Act on Online Businesses

California consumer privacy act has been revolutionizing consumer data regulations. The act was passed in June 2018, introducing reforms that would cause a major change to the privacy policies and data usage policies of the tech companies. The Act has made it mandatory for the tech companies to disclose their data collection motive, the nature of the data collected and also the third parties to whom it has been sold for ad generation. It will have a global impact on the tech industry using the consumers’ data. The act was much anticipated as it will improve the online experience of users and will reduce the frauds that happen due to data breaches. Such losses of data cause major harm to the business in possession of that data. The compliance to the California Consumer Privacy Act will add value to the company profile, increase its credibility and also increase the customer value of the company. Because the consumers are very keen to exercise control over their data. According to a survey, 90% of Americans want to exercise control over the information collected from them.
The data that the consumers leave willingly or unwillingly at the internet is not some useless data trail that would remain in the cloud, but the search trail and other information that the users provide willingly is used by the businesses to generate high revenues. Appearing in mobile search and results can increase brand awareness by 46%. Facebook, LinkedIn, youtube, Reddit, etc are considered the most fruitful platforms for selling the products. According to a survey, 93% of businesses in a B2B arrangement consider Linkedin as a most valuable platform for their business while 95% of B2C businesses consider Facebook as the most valuable platform, in terms of generating revenues and creating brand awareness among the consumers.
These businesses do not generate revenue by just posting their products for sale, they use the user data available with tech businesses like facebook, google, etc. to analyze and predict the consumer buying behavior hence making sales offers based on the buying behavior of a user.

Highlights of California consumer Privacy Act:

The act was passed as a bill in June 2018 by the California state legislature. It will be in effect from January 2020.
This act has given many rights to the Californian over their data collection and usage.

Concerned businesses:

The businesses that have the following attributes will be liable to follow the regulations of the California Privacy Act:

  • Generate $25million annual revenue,
  • Annually buy or sell the data of 50,000 Californian consumers
  • Generate 50% or more of their revenue in buying and selling of California consumer data.
  • Businesses operating anywhere in the world but providing goods and services to Californian users.

Disclosures regarding usage of data:

The tech companies are bound to take consumer consent before selling their personal information to a third party. It forces companies to reveal what data they collect and how they use it. Also, the consumers will have the right to request the business to delete and remove their data from the database of the business.

Requests by the consumers:

Consumers of California will have the right to request the company to show them the usage history of their data. This request includes the usage and the purpose of data, third party to whom data has been provided, methods used for the collection of data and the categories of personal information collected.

Clear privacy policy on the website:

The tech companies operating in California have to add a “do not sell my personal information” button at a clear place on the website.

Legal action by the consumers and fines:

The consumers will have the right to sue the company for illegal use of their personal information. The businesses if found noncompliant with the California Consumer Privacy Act (CCPA) will be liable for a fine of $2500 to $7500 on every violation.

Non-discrimination:

Even if the user exercises his right to control his data the business will not show any discrimination towards that consumer regarding the services and the price of the product.

Businesses that need to change their privacy practices:

The California Consumer Privacy Act will be in effect from January 2020, hence the businesses need to buckle up for the changes that they would have to introduce in the privacy practices of their company. According to a survey of 250 executives of businesses in California, 72% of them plan to invest in their IT infrastructure to meet compliance with CCPA, one-fifth of the survey respondent stated that their company plans to invest more than $1million on the compliance-related functions. The survey found that only 21% of the businesses in California are currently compliant with the new privacy regulations.

Social media:

According to a survey, 87% of shoppers say that social media plays a vital role in their shopping decisions. The businesses are aware of this trend, hence use this to market their product by using the easily available information on social media platforms.
Social media websites like Facebook will have to change their practices of selling the personal information of users to third parties. For selling this data to a third party the business would need to take the consent of its users.

Verification service providers:

Due to an increase in regulations regarding KYC (Know Your Customer) and AML(Anti Money Laundering), many businesses are using the verification services of third parties for verification of the end-users. The businesses availing the verification services would have to get the consent of the end-users before forwarding their data to verification platforms. The businesses providing the verification services have the most confidential data on hand, hence they must follow the provisions of the California Consumer Privacy Act.

Search engines:

The search engines like google would also be affected by the California Consumer Privacy Act (2018). The company has been selling the user data to third parties and making big bucks out of it, but now the company’s revenue from ads generation might fall because the users from California would have the right to not provide their personal data for ad generation or for selling it to third party users.

E-commerce businesses:

These businesses are taking the major advantage of the consumer data sold online. The user’s buying and internet surfing data is analyzed through AI-based products and the sale offers are made based on the preferences of the consumers. Hence, the consumers are indirectly forced to buy a product that they would not have bought if there were no ads on their browser.
Hence it is clear that Calfornia Consumer Privacy Act (CCPA) will reshape the privacy policies of the businesses around the world and especially the multi-million dollar firms. Buying and selling of consumer data have formed a huge industry, the businesses having access and so-called “rights” over the of consumer data has been exploiting the consumer data to make huge profits. The CCPA will give the rights into the hands of the right owners.