Navigating the CCPA – What you need to know before July 1

June 25, 2020
7 facts all cybersecurity and compliance executives should know

On July 1, 2020, the long-awaited California Consumer Privacy Act (CCPA) will be enforced. Organizations should have started complying at the beginning of this year, but there is still some time before the California Attorney General can issue fines. Here is a breakdown of what the CCPA is, who it affects, the benefits and more.

    1. What is the CCPA and who does it impact?  The CCPA is a bill intended to strengthen privacy rights and consumer protection for residents of California. The law applies to any business worldwide that receives personal information from any California residents either directly or indirectly and meets at least one of the following additional criteria: make annual revenue of more than $25 million (USD) in total (not just in CA), receives personal data from at least 50,000 California residents, devices, or households per year, and lastly, obtains 50% more of its annual revenue from the sale of personal information about California residents.
    2. How can companies comply with the privacy regulations outlined in the CCPA? Compliance, transparency and safeguarding consumer privacy must be top-of-mind from the start. The process begins with discovery. Analyzing data sources to identify and quantify areas of privacy risk by probing for application risk, unstructured risk, and third-party risk, within your data sources, gives companies a clear view of how they use data. This can then bolster companies’ abilities to be transparent with consumers. Understanding individual rights such as access, data portability, deletion, sharing/selling disclosures, and opt-out or opt-in, are critical when responding to an individual’s request to disclose these details. Companies should update rights management procedures, update privacy policies, update contracts, and develop a process to fully automate the right to know requests, allowing companies to reduce the cost, time, and resources associated with complying with the CCPA.
    3. How can companies benefit from the CCPA? The CCPA incentivizes companies to implement privacy by design mentality by raising data awareness for consumers. The transparency benefits a business’s reputation, especially as regulations grow, and they remain dedicated to staying at the forefront of CCPA compliance. In addition, companies may choose to focus on first-party data collection, in doing so, this makes for more reliable data in the long run which, improving targeted marketing campaigns. Of course, not complying can be very expensive in many regards. Think about Apple’s Privacy messaging as an example of where this can benefit a brand.
    4. Do the California Attorney General’s newly proposed revisions change anything?  The latest submission of the operating rules is materially the same as the second redline, but the operating rules when taken in conjunction with the CCPA, modify nearly every part of privacy compliance. Virtually every operational area is impacted, including elements of mobile, ADA, adolescent protection, timelines, reporting & evidence, third-parties, notices, definitions, financial incentives, verification, employment, agents, sale, opt-out and other sections that were unclear in the original text.  Further, it tests the limits of law in several areas such as required acceptance of Do-not-Sell signals and valuing data (among other elements), not just clarifying them. If the Office of Administrative Law does not complete the review in the expedited timeline, then we will end up with the unfortunate situation where they will enforce only the “basic” CCPA, which would only enforce –what is in the regulations and amendments, but not the operating rules– starting July 1.
    5. What’s the difference between the CCPA and CCPR? The CPRA expands upon the privacy protections introduced by CCPA which creates new privacy rights allowing consumers to stop businesses from using sensitive personal information, safeguarding children’s privacy by tripling fines associated with collecting and selling of a child’s private data, extends the exemption for employment data, and establishes an enforcement body in the California Privacy Protection Agency.
    6. How much is consumer privacy worth? Can it be monetized? A consumer’s privacy is tangible, it’s continuously traded, and exchanged for various incentives such as freemium services or monetary gain. At times consumer data is knowingly traded, there are also times when consumers are unaware of data being shared with third-party vendors, which is why transparency is a critical factor in consumer privacy. Transparency allows consumers to make more informed decisions about their data rights including the value behind their data.
    7. Why is privacy important for those navigating COVID-19? As the world navigates COVID-19 and other events, it forces companies to think about two core elements, security and transparency. As new protocols are put in place to ensure the health and safety of consumers and employees as businesses reopen, the focus on privacy is important in being transparent. Privacy by design ensures the proper security protocols are put in place for businesses to secure data that is incredibly sensitive when complying with guidelines set forth by organizations such as the Center for Disease Control. Privacy is an individual’s right and must be protected.

About the Author: Dan Clarke is president of products and solutions at IntraEdge. Dan has 30 years of experience combining technology with media, retail and business leadership, has held executive leadership roles at Intel, is an experienced data privacy advisor, and is a 9-time CEO. Due to the Truyo privacy platform reaching more than a billion users and its 4-year history, Dan has deep expertise in the privacy landscape. He is a frequent speaker at public venues and is actively involved in Arizona, Texas, and federal privacy legislation.