By Peter Duthie, Co-CEO and Chief Architect at Ground Labs
GDPR. CCPA. PDPA. HIPAA. The alphabet-soup of data privacy regulations continues to grow with more industries across additional regions and state lines enacting new rules that require compliance. In today’s global economy, regulations impacting just one state, one country or one industry affect organizations worldwide. The pressure is on for companies to stay compliant across regulations — and furthermore, prove it.
The latest regulation to go live is the California Consumer Privacy Act (CCPA).
What is CCPA and does it affect my business?
With CCPA, California becomes the first to enact GDPR-like protections for its citizens, impacting all organizations that conduct business in the state. Like GDPR, CCPA requires organizations to inform consumers about the Personally Identifiable Information (PII) data it collects and shares while empowering customers to access and delete their PII data via a request to the organization collecting it. Therefore, it’s critical that organizations know exactly what PII data they have, and where it resides, or they may risk facing significant consequences.
Unlike its older sibling, GDPR, which imposed fines based on the levels of violation, CCPA allows individuals affected to pursue legal remedies against non-compliant companies. Under CCPA regulations, companies could be liable up to $2,500 per individual violation for a data breach — numbers that could easily become staggering.
How are businesses preparing for CCPA?
Major companies like Microsoft are vowing to adhere to CCPA on a national level, a strategy that bodes well with U.S. consumers who demand greater privacy in the wake of exploitations this past year. Microsoft’s move plays in line with how we’ve seen most organizations conduct business under GDPR, as it’s easier to comply more broadly while also proactively setting yourself up for success in the instance of future regulations.
To help organizations prepare for the CCPA regulation, we’ve come up with five tips for achieving compliance.
1. Conduct a full data audit by mapping out where all PII data lives within your organization. It’s also imperative to know where it came from, who has access to it and what it’s being used for.
2. Ensure your customers understand their key rights related to their PII data:
- The right to know what personal information is being collected used, shared or sold, both as to the categories and specific pieces of personal information;
- The right to delete personal information held by businesses and by extension, a business’s service provider;
- The right to opt-out of the sale of personal information;
- The right to non-discrimination in terms of price or service when a consumer exercises a privacy right under CCPA.
3. Expand consent notices that outline the above rights to reach every bit of publicly facing collateral; websites, marketing materials and third-party contracts are all great places to start.
4. Create business strategies and internal processes to address the following business obligations outlined by the CCPA:
- Organizations must provide notice to consumers at or before data collection.
- Organizations must create procedures to respond to requests from consumers to opt-out, know and delete. (For requests to opt-out, businesses must provide a “Do not sell my personal information” link on their website or mobile app.)
- Organizations must verify the identity of consumers who make requests to know and to delete personal information, whether or not the consumer maintains a password-protected account.
- Organizations must disclose financial incentives offered in exchange for the retention or sale of consumer’s PII data.
- Organizations must maintain records of requests and how they responded for 24 months in order to demonstrate their compliance.
5. Appoint someone within your organization to drive the compliance movement. Although this person will oversee efforts, it’s the responsibility of every department and individual to ensure compliance.
Choose the right partners and technologies Data discovery solutions like Enterprise Recon from Ground Labs are powerful solutions for the discovery and remediation of PII data while providing the help and proof organizations need to demonstrate their compliance with CCPA. It’s important to keep in mind that compliance is not a destination but rather a journey — which is why it’s key to have a trusted partner who can help you navigate the ever-changing and challenging compliance landscape. Furthermore, taking a leaf out of Microsoft’s strategy, it’s important for organizations to look at CCPA and GDPR as a way to demonstrate to current and future customers and employees that their data matters and as a company, you’re taking proper steps to make sure it’s secure. This then becomes a proactive approach to data security rather than damage control post-breach, one which is increasingly valued and expected by consumers.
For more information around CCPA and what it means for your business, visit the CCPA’s official Fact Sheet.