CCPA Compliance: Preparing for the California Consumer Privacy Act

The purpose of the California Consumer Privacy Act (CCPA) is mainly to rein in the use and sale of personal information by large companies for purposes such as advertising. This doesn’t mean the rest of us are off the hook for CCPA compliance, however. Let’s look briefly at some of the reasons the CCPA law may apply to you and what it covers.

Do You Need to Prepare for CCPA?

CCPA in California goes into effect January 1, 2020 and applies to for-profit companies that meet at least one of the following criteria:

• Has an annual gross revenue of $25 million or more
• Buys, uses, sells or shares the personal information of at least 50,000 consumers, households or devices within California
• Receives at least half of its annual revenue by selling consumers’ personal information

While this sounds fairly straightforward, there are wrinkly areas. Here are just a few cases in which you should, or you must, be able to show CCPA compliance:

• You supply goods or services to a company that is required to comply with CCPA or have a contract with one or otherwise do business with one
• You fall under one of the rules above, but you’re not based in California, nor do you have a physical location in California
• You fall under one of the rules above, but you’re a B2B company that doesn’t collect data about individuals
• You fall under one of those rules above, but you’re a company that de-identifies data collected about individuals, such as for statistical purposes

What if These Don’t Apply to You?

There are some very good reasons you should comply with CCPA law, even if none of this applies to you right now:

• You have a website that is able to be visited by California residents, and you collect data about those site visitors or their devices
• You hope to someday have revenues of $25 million or more (#likeaboss)
• You hope to someday have 50,000 or more customers/users in California
• You hope to someday supply goods/services to a company required to comply with CCPA
• You hope to someday sell your business to or merge with a company required to comply with CCPA

Like other data privacy laws, what CCPA considers personally identifiable information is pretty broad and includes IP addresses, browser cookies and clickstreams, in addition to physical or email addresses and other obviously identifying data. (It does not cover personal health information already subject to HIPAA privacy laws, as no one is using that data for sales/marketing without permission of the individual – or at least that’s the idea.)

While who and what constitutes an individual consumer or device may be pretty easy to understand, CCPA includes household data too, which is rather less defined.

And, as mentioned, CCPA law requires covered companies to make sure any third-party suppliers or service providers are also in compliance. This means if a telecom company hires you to cater an office lunch or you are a promotional items company making 500 polo shirts with the logo of a big social media company – tag, you’re it.

Even if you aren’t in California and don’t sell to or deal with anyone in California, keep in mind there are many states that have passed or are discussing similar data privacy laws. You might still want to brush up on your ABCs and think of CCPA requirements as a practice test.

Understanding the CCPA Requirements

There is much more than just storage and software at work here. There are massive policy implications and massive changes to websites that are going to need to happen. While CCPA covers similar ground as the GDPR, it is more specific on data breaches. If private data is breached or exposed, you’re toast. Even if encrypted data is leaked, you are in trouble if there’s any potential that the encryption keys or metadata leaked. The minimum fine is $2,500 per record. If you can’t address the issue quickly, that goes up. If it’s found that a breach is due to a known issue, such as a problem you ignored, that can go up to $7,500 per record.

As with GDPR, the right to be forgotten is the main difficulty from the perspective of IT management, and CCPA adds some interesting twists. For example, if a consumer requests you delete their data, there are some exceptions, such as data you need in order to complete your business with that individual. If you need to mail them a product they’ve paid for or to keep track of their purchase history for tech support purposes, you do not need to grant their request. And if you are under obligation for some legal reason to keep their data, you do not need to grant their request.

Another nuance: A customer can permit you to keep their data, but not share it with or sell it to any third parties. To comply with this, administrators will need to manage files based on these varying requests, perhaps in separate repositories based on the customer’s preference or by flagging or tagging it as either “do not share” or “okay to share.”

A consumer can request access to or removal of their data up to the prior 12 months. So, while the law doesn’t take effect until January 2020, technically it covers data beginning in January 2019, which means the time to start complying with CCPA law is… six months ago.

How to Address CCPA

Seek out data management features that help to comply with the right to be forgotten, protect private data, manage similar data in different ways or different data in similar ways. Advanced CCPA-compliant solutions give you the ability to classify and categorize data with tags so the information can be managed and found. These solutions also provide full-text content search so users can locate and retrieve data without having to know where it’s physically stored.