The Article in 60 Seconds
Consumer privacy and its implications for companies of all sizes can no longer be ignored. Cyberbreaches, customer trust, and potential penalties require corporate responsibilities with data. This may mean your company needs to consider restructuring data storage and access, along with dedicating resources to ensure legal compliance.
The California Consumer Privacy Act of 2018 (CCPA) takes effect January 1, 2020, with enforcement beginning six months after the final regulations are published or July 1, 2020 — whichever is earlier.
CCPA requires subjected companies to identify and provide upon request all collected personal information, along with opt out and deletion protocols. All businesses, including SaaS companies, should be prepared for the changes to data architecture, cybersecurity, and response protocol this legislation requires for compliance.
While similar to the GDPR (General Data Protection Regulation) in the EU, CCPA has different definitions, different requirements, and different fines. And there’s already pending and proposed legislation in other U.S. states with differing criteria and regulations. Consumer rights are taking center stage and they just may mandate your 2020 priorities.
What you must immediately change:
Think About This
- The 2019 Ponemon Cost of a Data Breach report prepared for IBM says the average time to identify and mitigate a data breach is 297 days.
- CCPA allows up to 45 days to fix the problem after a data breach, after which fines begin accruing — not to mention the potential for civil action.
- Once enforced, fines for data breaches and failure to comply with CCPA can accrue up for $7,500 per day for violations. Can you afford to ignore the new data privacy laws?
- Accountability is key. Companies that collect any personal data must focus on data architecture and resource designation now. Your best bet to avoid or correct data problems is to know where your collected data is in all forms and to establish a team to continually monitor for issues.
If You’re Reading This, You Should Prepare Now
Keep in mind that CCPA applies not only to your company, but also to all companies you do business with; we’ll refer to “business contacts” to mean companies you buy from and sell to. And with proposals under consideration in New York and Washington, D.C., you should assume that you will have to comply with a similar form of consumer privacy legislation sooner rather than later.
CCPA applies to you if you are a for-profit company and have gross revenue of $25+ million, collect data for at least 50,000 California residents, or derive at least 50% of annual revenue from the sale of personal information.
For all collected personal data, you will need to identify when and how it’s collected, how and where it’s stored, and with whom it’s shared. Specifically, the CCPA requires any company meeting the above requirements to:
- Identify all:
- Collected personal information
- Categories of collected personal information
- Sources of personal information and categories
- Recipients (shared and sold) of personal information and categories
- Provide and publicize Opt Out links
- Implement procedures to address consumer requests for:
- Collected personal information and categories
- Sources and recipients of personal information and categories
- Deletion of personal information
New Consumer Rights
Under CCPA, consumers have the right to ask a business for specific collected personal information about that consumer and any associated categories, the business reason for collecting it, and how/to whom the data was shared.
Consumers also have the right to request to have their information deleted and for confirmation of the completed deletion.
Consumers have the right to opt out of sharing their personal information. Interestingly, you can’t penalize a customer for opting out, but you can financially incent your customers to opt in.
There Are Exceptions
B2B companies have a one-year reprieve to comply with some aspects of the CCPA — for customer data. You must still provide an opt-out and can not discriminate against users who do so, but you do have an extension on meeting compliance obligations with customers. Marketing efforts are not specifically exempted and should follow the rules currently in place.
CCPA may not apply to all or part of data covered by HIPPA (health-related info) or GLBA (financial data), which is already protected by those acts.
Employee and job applicant data is temporarily excepted from CCPA enforcement.
What to Do Now
Assume that at some point in 2020, you will have to be able to demonstrate legal compliance with CCPA and/or other consumer privacy laws. You will need to document every policy and procedure in place to meet the regulations. Your company’s adherence plan must include the following:
- An opt out link, database, and procedure
- Consumer request procedures, including databases & forms, for information access and deletion, categories of information, and information-sharing partners
- Collected personal information and categories and the points of collection
- Business contacts, and categories of business contacts, from/with whom personal information and categories are shared
An added incentive to start now? The CCPA states that once the regulations are enforced, consumers will have the right to make requests that extend to the previous 12 months. That means you’ll need to be able to provide all 2019 data to guarantee compliance.
Opt Out Link
Your Opt Out link must take users to a page that allows them to opt out of the sale of their personal information, without penalty or limitation of access to products and services. The link must also notify users of any financial incentives to opt in to the collection and/or sale of information.
If a consumer chooses to opt out, you cannot ask again for authorization to sell their information for at least 12 months.
Consumer Request Procedures
Consumers have the right to request information from you, free of charge, up to two times within a 12-month period. CCPA stipulates that you will have to provide procedures for addressing the following consumer rights to information; see our checklist for details about what consumers can request.
Each of these procedures will need to be logged, responded to, and completed; a deletion request also requires confirmation of deletion. Requested consumer data can be delivered via mail or electronically.
Requests will need to be date-stamped to start the compliance clock on meeting the request.
Unless you operate exclusively online, you must provide at least two avenues for consumer requests: a toll-free phone number and your website. Online-only companies must have an option on the website.
Collected Personal Information and Categories
According to the CCPA, “‘personal information’” means information that: identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.
Information that is aggregated, de-identified, and publicly available is no longer subject to CCPA regulation.
You will also need to know at which point you are collecting personal information; CCPA states that you must inform consumers about the categories and purposes of collection at the time of or before collecting. This includes online forms, analytics, and some widgets.
There are additional stipulations for under consumer age 16 and under 13, as well. Those requirements are not detailed in this post because most B2B companies don't have customers in that age bracket. If you do, visit this website for more information. HubSpot presented information related to children this way:
Business Contacts: Sharing and Receiving
Consumers have the right to know all business contacts from and with whom their data is being shared, as well as the categories of those business contacts.
You will need to be ready to respond to consumer requests, going back up to 12 months from the eventual CCPA effective date. To do this, identify all business contacts from whom you receive and with whom you share consumer information. You will also need to know the categories of information received from and sent to each business contact.
Consider amending your vendor contracts to ensure adherence by your data sharing partners.
After you have defined a privacy plan, created your procedures for handling consumer requests, and identified what information is shared with whom, you’ll need a training plan. You are obligated to train all employees who will receive and process requests on CPPA and other pertinent personal data protocols on privacy laws and where to direct consumers who request more information about the applicable laws.
Where to Go for More Information
Download our CCPA Checklist. This step-by-step resource will help you identify the issues and work through what you need to do to bring your website into compliance.
But do remember: we are not legal experts nor do we claim to be. With every matter of this magnitude, we encourage you to seek the advice of your legal counsel.
The First Thing to Do After Reading this Article
If you haven’t already, assemble a strategy/oversight team to determine how CCPA will affect you. Consider designating a chief data officer and/or compliance officer whose responsibility it is to ensure that all data you collect is safe and trackable.
CCPA is all about the data — where it is, where did it come from, what is it, how are you storing it, why are you collecting it, and what are you doing with it.
Analyze your data architecture structure and procedures. All collected data should be stamped when you receive it, like with the code on a can of Coke, so you know its origin, purpose, location, and so on, at all times. Knowing where the data has been and where it’s going is key to compliance.
CCPA is coming, and it’s likely that other states will follow with similar legislation. You can’t afford to wait for the final legislation to be defined. Use our free checklist to start planning now for your company’s compliance. We’re in this together and we don’t want to see any SaaS get left behind.