The California Consumer Privacy Act of 2020 (CCPA) is a landmark legislation that will have significant implications for businesses operating in California. If you’re responsible for data privacy and security at your company, it’s critical that you understand the law and how it will affect your business.
The act aims to protect consumer privacy by giving consumers the right to access personal information held by companies and giving them control over what companies can do with their data. Here’s an actionable CCPA and CPRA compliance game plan.
Preface on the CCPA and the CPRA
The California Consumer Privacy Act (CCPA) of 2018 is the first data privacy law in the United States. With the extensive and influential California population, it’s no surprise that this legislation has become a model for other states to adopt stringent data privacy laws.
The purpose of the CCPA is to give consumers more control over how businesses collect and use their personal information. Also, the CCPA requires companies to disclose critical information about how they collect and use consumers’ data, including:
- What type of personally identifiable information (PII) is collected from customers?
- How was their PII collected?
- Where did the collection take place?
- Why did they need their PII?
- How long do they keep customers PII?
Similarly, the California Privacy Rights Act (CPRA) of 2020 establishes a new right for Californians. It helps them to know what data businesses collect about them and how they use it. It also creates transparency around companies’ sharing and selling consumer data with third parties.
The CPRA requires businesses to be transparent about what information they collect from the customers, how they use it, and whom they share or sell it with.
Heavy Fines and The Need for Compliance
As a business owner, you must be familiar with the California Privacy Rights Act and its effects on your business. The CPRA was enacted to protect consumers from companies that violate their privacy rights by collecting personal information about them without their knowledge.
It also gives consumers access to certain information about themselves, which a business may have collected or sold without their knowledge or consent.
The penalties for non-compliance can be severe. A violation may result in the following:
- A fine of up to $7,500 for each violation;
- Orders requiring you to delete data you have collected illegally; and
- Orders requiring you not only to stop violating the law but also to make sure all violations cease immediately
Reputational Damage: Business’s biggest penalty for non-compliance
CPRA compliance consumer privacy act protects consumers and ensures they can control how businesses use their personal information. The enforcement of this law is seen as a significant win for privacy advocates, but it will have an even more significant impact on brands that do not comply with the new rules.
This law comes when consumers are increasingly concerned about their online privacy and personal data and the brands that have it. Please comply to ensure your brand’s reputation among Californians.
Customers want to know what information you’re collecting from them and how it’s being used—or they’ll go elsewhere.
The Action Plan
We’ve compiled an overview of everything you need to know about complying with CCPA and CPRA and the actual steps you can take now.
1. Prepare Your Team
To prepare your team, it is essential to be aware of the new law. The following sections will help you understand how the CPRA applies to your business and what steps you should take to comply with it.
As a business owner or manager, you must understand how this law applies to your organization and all its services. This includes understanding new requirements for compliance and consumer rights, as well as data protection and privacy issues related to California residents’ information.
2. Review Your Data Inventory
A critical step in CCPA is to review your data inventory. This involves identifying what data is being collected, for what purpose it’s being collected, how long the information is stored, and where it’s stored.
It will also help you think about who has access to this information, how it is used, and whether there are any risks associated with that information.
3. Map Your Data Flows
California has no laws or regulations requiring companies to notify customers when a data breach occurs, but businesses that fail will face serious consequences.
In California, it is now a crime for businesses not to disclose personal information they’ve collected from their customers. Violation of this law can result in heavy fines per violation and jail time for individuals charged with multiple offenses.
The California Consumer Protection Act protects consumers from unfair business practices by outlining specific standards for privacy protection and data security for companies in the state – including what information must be shown if there’s a breach.
In addition, it requires businesses to provide notice when they experience any event that poses a risk of identity theft or fraud due to unauthorized access or disclosure of personal information (PDPI).
4. Evaluate Your Data Protection and Privacy Policies
Review your data protection and privacy policies. Make sure your policies comply with the CCPA and update them if needed.
Your CPRA compliance consumer privacy act policies should be consistent with your business model and industry. They should align with your company’s values. Clear, concise communication is always crucial, so make sure you’ve considered how to articulate the following:
- How data is collected and stored
- How long will information be retained (and what happens after it expires)
- How is it accessed by employees of your company or third parties working for you
5. Review and Update Your Privacy Disclosures to Consumers
Privacy disclosure is one of the essential elements of any data security program and should be reviewed with care. It serves two purposes: it informs individuals about how you will use or disclose their personal information and rights over it.
CPRA compliance consumer privacy act requires that you provide a privacy notice when collecting personal information from an individual. This notice is also needed when you change your privacy practices that may affect them. These notices should include the following:
- A description of the types of consumers whose records are collected;
- How these consumer records are used or disclosed (e.g., whether you share them with other companies);
- The consumer’s right to access or correct such information;
- An opt-out mechanism for sharing such data with third parties without consent;
- How long will this information be maintained before deletion (i.e., retention period)?
6. Implement a Data Governance Program
Data governance is the process of managing and governing data within an organization. It includes setting up policies, procedures, and standards to control access to data across your organization.
Data governance helps ensure compliance with privacy laws by establishing clear rules for when people can access personal information and how to use it.
Implementing a solid data governance program aims to protect customer information from being used in ways that are not intended or expected by customers.
This means you will be able to demonstrate your commitment to protecting user privacy if you find yourself under scrutiny from regulators or customers alike.
7. Test Your Opt-Out Processes
You should test your opt-out processes with a small group of consumers, then with a larger group. You can also experiment with a sample of your entire customer base.
Test to see how long it takes to opt out and the percentage of people who try to opt out succeed. If the process is too cumbersome or complicated, you could lose potential customers for good.
8. Document All Calls from Consumers
Record the date, time, and name of the person who called. When you receive a call from someone asking for information about your organization or requesting action, take down their contact information.
This can include their name, phone number, and email address. Record the nature of the call and what was discussed. Record the outcome of the ring. Whatever happened during this interaction should be documented in detail so that proper follow-up actions can be taken to secure PII.
9. Hire A Data Protection Officer (DPO)
Hiring a data protection officer (DPO) to meet the California Privacy Rights Act (CPRA) requirements is a good idea. A DPO’s role is to ensure that your company complies with regulations and provides adequate protection for data privacy.
They must be “independent from any business function, not an employee of the controller or processor, and able to perform their duties independently.”
This means that if you hire someone who works for the company itself, it will not be considered sufficiently independent. They would have a conflict of interest since they would have interests both as an independent third party and as part of the company itself.
They are responsible for ensuring compliance with data protection laws. This may include advising on policies related to processing personal information and monitoring CCPA and CPRA compliance.
They should provide advice/training on security measures, monitor staff awareness, prepare reports on findings/recommendations under regulations, and conduct audits/inspections to ensure compliance.
10. Install the Do Not Sell Opt-Out Notice
You must install the Do Not Sell Opt-Out Notice on your website. The notice must be in the form of a link to a web page on your website that is accessible from the homepage of your website.
You must use this link in your email to customers or prospects who do not want their personal information sold or shared with anyone else.
If someone signs up for your email list and wants to receive emails from you, they should receive an email with the Do Not Sell Opt-Out Notice link (and instructions) within 24 hours of signing up for it.
If a customer or prospect clicks on this link, they will be taken to a page where they can opt-out of having their personal information shared with other companies outside your business entities.
If they don’t click on this link within 30 days after being notified by mail or email about how they may opt out, then there is no obligation under California law for any further action by you.
11. Go Cookie-Less (Almost) and Tell People About It!
Cookies are a great way to track people’s browsing habits and are helpful for marketing purposes. But they’re also being used more and more for nefarious reasons.
The good news is that there are alternatives to cookies that can help marketers retain valuable information about their customers while protecting their privacy.
You can still provide your users with an excellent experience using other methods:
- Universal IDs
- Location targeting
- Contextual advertising
- First party data
However, it’s important to remember that not all cookies are gone. You need consent for the cookies to continue with your marketing or advertising.
12. Respect Individual Choice
Consumers have the right to opt out of data collection and sharing. As a CPRA-compliant company, you must provide consumers with the ability to opt out of information collection.
In addition, you cannot use deceptive practices that prevent individuals from opting out of data collection or sharing programs—for example, by tricking them into consenting when they don’t want to give it (see below).
13. Educate Your Employees
To ensure that California privacy rights are protected, educating your employees on the importance of data protection is essential.
Your employees should be taught how to handle data and protect it. They must also be taught about transparency and accountability when dealing with personal information.
14. Require Responsible Corporate Behavior
The California Privacy Rights Act (CPRA) imposes data protection requirements on all companies that collect and process personal information.
The CPRA requires companies to have a data protection policy in place, as well as a data protection officer. It also mandates that companies train their employees on how they are expected to treat customers’ personal information.
Companies should take this responsibility seriously since failing to comply can result in fines of up to $7,500 per violation! That’s why it is critical for all businesses operating within California, whether large or small-scale, to implement these best practices into their corporate structure.
The CCPA is critical legislation that will significantly impact how businesses operate in California. As technology advances, modern technologies like biometrics continue to emerge and create unknown privacy risks for consumers. Companies must understand how to comply with the law while still collecting data and delivering personalized services to their customers.