Are You Compliant With the California Consumer Privacy Act?

Blog

Thought Leadership

Are You Compliant With the California Consumer Privacy Act?

Noah Webster

CCPA key on keyboard

The California Consumer Privacy Act went into effect on Jan. 1, 2020. Now that this game-changing piece of cybersecurity legislation has become law, companies need to get serious about the details.
 
Does your company have one or more customers in California? If so, CCPA almost certainly affects you. The law grants individuals a right of action (basically, the ability to sue) if their unencrypted or unredacted data is stolen. That right applies even if the stolen data caused no personal harm. Data breaches already are scary, but the threat of class-action lawsuits makes them more so.

More specifically, assuming you meet any of the criteria listed below the CCPA impacts data security and privacy for your business:
 

  • If you are part of a for-profit organization doing business in California that earns $25 million or more in revenue per year
  • If 50% or more of your company's annual revenue comes from selling personal information
  • If you sell 50,000 or more consumer records per year

 
Compliance with CCPA means giving California residents the right to know what personal information has been collected and whether it’s been sold, as well as the right to access and delete that information at will. Meeting those mandates won’t be easy, so we suggest you start immediately.
 

What CCPA Means for Daily Operations

 
The good news is, the CCPA isn’t drastically different from existing data privacy laws, most notably the General Data Protection Regulation passed in the European Union in 2018. Like its California counterpart, the GDPR requires companies to give individuals more control over their personal data. GDPR rules apply to anyone who does business in Europe, which is likely to be a large swath of companies that do business in California, too. Those companies already have done much of the legwork to comply with CCPA.
 
The bad news is, the laws are not identical. For example, both involve updating privacy notices, improving opt-in/opt-out requests, and abiding by requests to delete data. Unlike GDPR, however, the California law requires companies to create a “do not sell” link that lets users restrict how their data is monetized. The devil is in the details, and companies can’t assume that complying with another set of rules ensures compliance with CCPA.
 
Penalties for noncompliance are uncertain, but they’re intended to be meaningful. The California attorney general can levy fines of $2,500 to $7,500 for each user profile handled improperly. Multiply those fines by the thousands of users typically affected by a breach, and it’s clear just how costly CCPA could become.
 

Getting Compliant on a Short Schedule

 
If you already have a data privacy program in place, you’re on the right path. With a few updates, you will likely be in full compliance with CCPA. If you don’t have a program, you may have a lot of ground to make up:
 

  • Data mapping: Identify exactly what data you have, where it lives, and who does the processing. Understanding what data exists inside your ecosystem is a prerequisite for securing it as CCPA requires. 
  • Data governance: Evaluate your ability to manage and monitor incoming data. Without excellent governance, companies that start compliant may struggle to stay compliant. 
  • Data monetization: Plan how you will monetize data (now and long-term) in ways that comply with CCPA. The law creates strict mandates for monetization.
  • Privacy controls: Judge whether your existing privacy controls create gaps that might conflict with CCPA. If and when they do, identify how processes and technologies need to evolve to close those gaps. 
  • Compliance management: Make a team or individual responsible for ongoing CCPA compliance. Staying within the letter of the law will take constant evaluation and adaptation — work that companies can’t afford to neglect. Plus, by cultivating in-house compliance experts, companies are better prepared for future data-privacy laws at the local, state, federal, or global level.


If you don’t serve California, be aware that other states are considering similar laws, and tougher privacy protections seem all but guaranteed. Therefore, everyone should take the spirit of CCPA seriously and begin preparing for a future in which data is an asset and a liability.
 
When you’re ready to get started, contact the team at Zix to properly secure all of your data and help you stay compliant with every regulation that comes to pass.