Is Your Business Prepared for the California Consumer Privacy Act?

May 13, 2020Homefield IT

Business IntelligenceCloud ServicesIT Consulting & StrategySecuritySoftware DevelopmentTech Support & Managed IT ServicesTelecommunicationsConstructionEducationFinanceHealthcareLegalReal Estate

At the end of last year, California passed the California Consumer Privacy Act (CCPA), a landmark piece of legislation that defines a new standard for an individual’s data rights. The law provides three major forms of protection for consumers:

• Right to access
  The right to know what personal information a business holds on an individual, including which information was collected, whom it was shared with, and to whom it was sold.

• Right to deletion
  Under CCPA, consumers have the right to request that a company delete their personal information

• Right to opt-out
  Individuals can stipulate that they don’t want their data sold to third parties.

Until the passage of CCPA, the United States has had comparatively lax data privacy standards, especially compared to Europe, which last year passed the comprehensive General Data Protection Regulation (GDPR).

Who Needs to Comply with CCPA?

California is the world’s fifth-largest economy, home to a high concentration of leading technology companies, like Google, Apple, Facebook and others. Much like GDPR, CCPA extends to well beyond the physical boundaries of the state and applies to anyone who “does business with the State of California.”

Businesses that fall into any of these categories have compliance exposure to CCPA:

• Those that have $25 million in annual revenue
• Companies of any size that have personal data of at least 50,000 people
• Companies the collect more than half of their revenues from the sale of personal data

Any business that falls into these categories without being CCPA compliant faces civil penalties of up to $2,500 per violation, or $7,500 for each “intentional” violation. Additionally, there are penalties if consumer data is ever breached, ranging from $150 to $750 per violation. In the case of a large-scale data breach, these penalties could quickly add up to an enormous fine for your business.

The financial penalties associated with CCPA non-compliance demand an urgent, decisive response.   

According to research, only 55% of companies plan to be ready for CCPA implementation by January 2020. That same research shows that the number one reason that businesses aren’t prepared for CCPA compliance is a lack of time.

What Data Should You Protect to be Fully CCPA Compliant?

One of the factors that make CCPA compliance such a challenge is that it outlines a very broad view of what constitutes personal information, broader even than the GDPR, which is still giving businesses trouble almost a full year after being passed. According to the CCPA text:

“Personal information is data that identifies, relates to, describes, or is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”

The legislators chose the word “household” intentionally. It was designed to prevent businesses from circumventing the law by claiming it isn’t collecting information about an individual while collecting information about someone else who’s using the same computer.

Individuals who are protected by CCPA have several explicit rights in terms of privacy.

• To know what data is being collected about them for 12 months after it’s collected
• Opt-out of having their personal information sold to a third party
• Obtain a copy of personal information in a clearly understandable format
• Sue for damages if personal information is shared without consent

Manhattan Tech Support Has Clear Processes for Robust CCPA Compliance

To ensure this rigorous protection of data, and stay on the right side of CCPA regulators, Manhattan Tech Support and its cybersecurity division Kaytuso developed customized solutions that greatly reduce the complexity and stress surrounding strong compliance.

Below are just a few key elements of our CCPA solutions:

Building a Comprehensive Data Inventory for Clarity and Transparency

One of the first and most important steps toward building a CCPA-compliant data privacy program is to create a comprehensive inventory of the personal data in your organization, including how it’s shared, processed by your systems, and stored. This record, called a data inventory, isn’t a static list; it’s a living record of how your business processes and data interact.

Here’s how we help companies map their data inventories

Procedures for Quickly Addressing Customer Requests

Under CCPA, a consumer has a legal right to request their personal data from your business and receive it in an easily intelligible format within 45 days. Because customer data is stored across many different systems and tools within your businesses, you’ll need an entirely new set of technical processes for ensuring that your team can retrieve that data quickly.

We help business configure their systems to handle the full range of consumer data requests

• Accepting and managing customer requests
• Verifying the identity of requesters
• Properly categorizing “know” and “delete” requests
• Procedures for handling data opt-out and opt-in

Strengthen Your Overall Data Security

CCPA requires that each business that falls into one of the above-mentioned categories have “reasonable security” in place to protect consumer information. The ambiguity of the term “reasonable” has been discussed in regulatory circles for decades, but in CCPA, it should be interpreted as providing:

• Protections that are common throughout your industry
• Continuous vulnerability management
• Secure configuration of hardware and software, including mobile devices, laptops, and servers
• Strong vendor management processes

To help businesses remove as much ambiguity as possible from CCPA, Manhattan Tech Support and its cybersecurity division Kaytuso, use frameworks like the National Institute for Standards and Technology (NIST) Cybersecurity Framework and the Center for Internet Security’s Top 20 Critical Security Controls (CSC 20), both of which are recognized guidelines in assessing and mitigating cybersecurity risk.

An Award-Winning Partner With Over 20 Years of Compliance Expertise

CCPA is landmark legislation for data privacy here in the United States, but it may just be the beginning. There are six other states with privacy laws currently in place and six more that could create their own data privacy legislation by 2020, including Washington, Illinois, Oregon, and Texas.

If you’re a business that needs expert advice on how to best address the new raft of data privacy legislation like CCPA, we’d be happy to help. Our seasoned experts have over 20 years of experience providing businesses with best-in-class compliance solutions and would love to answer your questions about CCPA or any other compliance standard you’re facing.

Contact us any time at [sales-phone] or [email-address]!