How Can My Company Data Comply with the CCPA?
We always knew that the General Data Protection Regulation was only the beginning. Even though GDPR was passed by the European Union, it affects companies and organizations doing business in European countries. The data breaches and consumer data sales which sparked the creation of GDPR have continued worldwide. It was inevitable that other states and countries adopt similar measures to protect the data of their private citizens. California is the next to join the party. Starting January 1st, 2020, regulations from the California Consumer Privacy Act of 2018 (officially, AB-375) came into effect. Organizations that neglect guidelines for regulatory compliance face a fine of up to $7,500 for each intentional violation and $2,500 for each unintentional violation. Much like GDPR, this not only covers for-profit California companies but also companies that collect California resident user data. If you think your company doesn’t count because you’re located in another state, you may want to take another look.
How Does the CCPA Work?
California state legislature passed the California Consumer Privacy Act in late June of 2018. The statute was amended on September 13th of that same year and on October 11th of 2019. The statute is focused on the rights of the citizenry, and the stated intentions of the original bill were to give California residents the right to have more knowledge of, access to, and control of personal data collected by corporations. California was in a unique position to pass this bill specifically because of a long history and robust foundation of consumer protections and privacy rights. While many other states have looked at repurposing the bill’s text for their constituents, the process actually won’t be that simple. Not least of which because any copy of the text in another legislature would be riddled with holes for which California’s established privacy infrastructure has already prepared.
The CCPA applies to any business collecting consumers’ personal data in the state of California. If that business meets at least one additional criteria, it qualifies for the regulations: an annual gross revenue of more than $25 million, trades the information of at least 50,000 consumers, or earns more than half of its revenue from trading personal consumer information. Consumer data covered by the CCPA includes expected fields, such as name, postal address, home IP address, and SSN. But it also includes Biometric information, geolocation data, AV recordings, and employment records. This is a pretty broad range compared to GDPR and essentially covers every possible datum an organization could have on a user or client.
What Do I Have to Lose by Not Following CCPA Regulatory Requirements?
Technically, the rules regarding data breaches are more lenient and depend on consumers and the AG’s office to file complaints and prosecute respectively. Businesses do not have to report breaches as they are defined in AB-375. If the AG decides not to take a violation to court, consumers may still file a class action lawsuit. Companies can be sued for $750 per consumer, per incident. They could also be sued for actual damages instead, whichever is greater. Whereas GDPR penalties are based on the company’s annual revenue and so may scale with the size of the business, CCPA scales with the size of the transgression. In other words, the less you secure your data, the more you stand to lose.
How Can My Company Comply with the California Consumer Privacy Act?
While the data type specifications are sweeping, the measures organizations must take to comply are specific and clear. Your company must update its privacy policy to include notification of how users can opt out of personal information use and how they can access their information. To that end, you must also include an opt-out link or form on your website. The rules even instruct you to place this in the footer so that it’s not hard to find on any page and so that companies don’t experience digital marketing strain working it into a pristine header menu.
The CCPA is especially protective of minors. Businesses can only collect personal data of persons under the age of 16 with explicit consent. And this policy becomes stricter concerning persons 13 and under. Furthermore, for customers and users of all ages, the company must implement a means by which persons can request access to their personal data. This includes any sale of that data to third parties. Companies must comply within 30 days of any such request, meaning that archaic data architectures and bureaucratic processes aren’t going to cut it. And if your company is in the middle of containing a breach when these request come flooding in – let’s just say it will save you time and money paying for an ounce of prevention. Even when the infrastructure is in place, there is no substitute for considerable document security at every level.
What Steps Can I Take To Comply Now?
It is never a bad idea to rethink how you manage consumer data internally. How you create it in its digital form. How you store it. How you share it. Luckily, enterprise content management is exactly that – reimagining document handling and storage. While you may need web design services to add the necessary links and info to your web pages, an up-to-date ECM (and adherence to best practices) will safeguard you from the worst case scenario.
An ECM solution like Contentverse can help you to digitize your entire herd of filing cabinets. Batch processing will speed up that process, and metadata makes documents easier to find at a later date. With a separate security administrator, you can not only limit who can access what but even ensure the management team and other admins are operating within security protocols. The wrong person will never be accessing or checking out a file for which they do not have permissions. With Contentverse’s new Content Sentinel, documents can be securely shared via email link with those outside of the organization. And the double-layered encryption of files protects files even in the remote possibility of outside access due to human error.
The GDPR and CCPA are both frightening to a lot of businesses, but when you consolidate your prevention into a single ECM, they don’t have to be. If you are not already prepared for CCPA regulation, the time is now. Don’t let another day go by putting your users’ data – and your company’s welfare – at risk.