During the first half of 2020, COVID-19 has redefined the new normal and in many cases put on pause legislation impacting businesses. One exception to these cancellations is the California Consumer Privacy Act of 2018 (CCPA), which took effect at the beginning of this year. With the California Attorney General officially announcing the submission of its final regulations to support the CCPA on June 2, 2020, the official deadline to achieve compliance, and ultimately avoid fines, is July 1, 2020.
The six month grace period between the CCPA’s implementation and enforcement was designed to give businesses an opportunity to assess their compliance needs and act accordingly. As if this wasn’t a tall enough order, mass organizational restructuring and the increase in remote work as a result of COVID-19 has disjointed business’ data processes in some cases deprioritized this pending obligation. As a consequence, the remote work practices hastily implemented within many organizations has driven a significant increase in distributed data over this period, only adding to the complexity. Amid the dispersed work and coming to terms with new business realities, organizations and their shareholders can ill afford the hefty price tag of non-compliance.
Unlike its European counterpart, the General Data Protection Regulation (GDPR), which imposes fines based on the degrees of violation, the CCPA allows individuals to pursue legal action against companies for their infractions. Non-compliant companies could be on the hook for up to $2,500 per individual violation of a data breach — an amount that can quickly get out of hand. As July 1 quickly approaches, organizations can take the following steps to work toward achieving compliance by the deadline and remaining compliant in the future.
Conduct a data sweep of all endpoints
In today’s remote work environment, employees are downloading, storing and sharing customers’ personal identification information (PII) in a variety of different places, some of which aren’t secure or approved destinations. What seems like a harmless act can put organizations at risk, not just when it comes to compliance but also in terms of overall network security.
To avoid and mitigate the disbursement of this data to unsecure endpoints, organizations should conduct a thorough sweep of all workstations to map out the location of PII data. This should be done regularly to ensure continued compliance and protection from malicious actors. In addition, by understanding where personal and sensitive data resides, this enables organizations to review the workflows and make appropriate changes to mitigate future risk. In an ideal scenario, only a small number of employees will have access to valuable customer and user data therefore limiting how often it’s accessed, reviewed or shared.
While compliance is the responsibility of all departments within the organization, hiring a compliance officer or CISO to spearhead the compliance movement can also help mitigate some of the regulation’s complexities. A dedicated compliance officer can help relay important messages to the company as whole, and drive initiatives, providing a clear leadership and data strategy for the company. As the regulatory landscape grows in size and becomes more complicated, compliance officers or CISOs should be following the latest trends and initiatives to proactively promote organizational compliance.
Ensure consumers understand their right to PII data
The overall goal of the CCPA is to give consumers more control and safeguards over how their data is used. With this in mind, it’s imperative that organizations over communicate to customers to ensure they are aware of the key rights within the CCPA:
- The right to know what personal information is being collected, used, shared or sold, as well as the categories of personal information the business has collected on consumers over the previous 12 months.
- The right to request the deletion of personal information.
- The right to opt-out of the sale of personal information.
- The right to non-dscrimination for the exercising of a consumer’s privacy rights.
In addition to these new regulations, organizations must also provide the resources to submit a request for the disclosure of personal information. These types of situations require that organizations over communicate with their customers for compliance and transparency. To do this, organizations should ensure that consumer rights are prominently displayed on publicly facing content, including a dedicated page on the company website and inclusion in all marketing materials or third party contracts. While these new rights will be enforced by the CCPA, now may be a good time for organizations to assess what types of data management initiatives they can undertake to be proactive.
Create internal processes to address new compliance obligations
It’s also worth noting that with the new consumer rights listed above, the CCPA requires organizations to adhere to a new set of obligations, including but not limited to:
- Notice at collection, meaning that organization must alert consumers at or before the point of data collection.
- Organizations must create clear procedures to respond to requests from consumers to opt-out, delete, etc.
- Organizations that sell personal information data must provide clear and direct links like “Do Not Sell My Personal Information” on their website or mobile app.
- Organizations must verify the identity of consumers who request to know and or delete personal information.
- Organizations must disclose financial incentives offered in exchange for the retention or sale of consumer’s PII data.
- Organizations must maintain records of requests and how they responded for at least 24 months and have security measures to protect and maintain this information.
At first glance these obligations can seem daunting, but the cost of becoming compliant is far exceeded by the cost of non-compliance. While compliance officers can help manage these obligations and internal processes, compliance is the responsibility of all employees, from a seasonal intern to the CEO. Having specific employees trained and knowledgeable for an organization’s obligations to compliance is an immense benefit, but with the increasing speed of data, everyone needs to be vigilant. Additionally, these new obligations serve as an opportunity for organizations to review their data management processes and put their best foot forward towards transparency, compliance, customer satisfaction and risk mitigation.
Compliance is a constantly moving target. Today, it’s the CCPA, tomorrow it’ll be states either adopting CCPA or defining their own legislation. As such, organizations that view compliance as essential to their business will be prepared for future regulations. With so much of peoples’ daily lives happening online, organizations are collecting and sharing vast amounts of data that are valuable but can also be incredibly vulnerable, making July 1 an important date for all.