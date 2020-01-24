advertisement

The California Consumer Privacy Act (CCPA) entered into force on January 1, 2020. Although the majority of companies understand why the act comes into force, many of the larger ramifications are unaware of how companies will be affected holistically. How to prepare and what could be in the pipeline regarding new data protection regulations. A recent study by Ethyca found that only 12 percent of companies had “adequate compliance status” before the new data protection regulation became law.

The study also found that more than 70 percent of companies have not developed or implemented a policy compliance solution. Rather, companies choose to simply retrofit old processes or ask employees to schedule additional hours to ensure that they are compliant with the way they collect and store data. However, companies that rely on manual, outdated solutions are exposed to regulatory risks.

The brass pins, guidelines, and rules to follow

As part of the CCPA, California consumers have received extensive new data protection rights and may require any company to tell them what personal information they have about them or their household. You can also instruct a company not to sell their personal information and request that all data collected be deleted. However, the deletion request is not absolute and offers flexibility to companies that need to keep the data for legitimate business reasons. B. to fulfill a contractual obligation or because there is a legal reason for storing the data, for example for tax reasons.

According to the CCPA, businesses that do business in California, regardless of whether they are California-based and process data about California consumers, need to be more transparent about how they manage, store, and use the data of their California customers. With a few exceptions, a company is required to disclose, upon request, the specific personal information it has collected about a single California consumer and, if that data has been sold, additional information.

The law applies to for-profit companies that do business in California and meet one of the three criteria listed below. Companies that meet one of these criteria must work with internal employees to adequately capture a consumer’s information, how and where to store it, and under what conditions they are required to disclose it.

Prepare properly

Given that many U.S. and even global companies deliver products to California or have online properties (e.g. websites) available to Californians, a significant number of companies need to make timely preparations and ensure that ongoing compliance processes are in place. By law, California consumers have a new private privacy lawsuit, with a legal penalty for violations of up to $ 750 per violation (or for actual damage, if higher). However, as of July 1, 2020, the legal sanctions for a data breach can increase significantly (up to a maximum penalty of $ 7,500 per breach) if the Attorney General is involved in the litigation. This would prove to be very costly for companies and is a line item that should definitely be considered when budgeting for 2020. The new data protection law could initially cost companies up to $ 55 billion, according to an economic impact assessment prepared by an independent attorney general research firm.

To prepare for this new legislation, companies must:

– Determine whether the CCPA is applied or not because it meets one or more of the following criteria:

Has global gross annual sales of more than $ 25 million; or

Buy or sell, alone or in combination with another company, the personal information of 50,000 or more consumers, households, or devices. or

Generates 50 percent or more of annual sales by selling consumer personal information

If the CCPA applies:

Make sure it is ready for the CCPA review phase, in which they must be able to disclose personal information 12 months before the date of a disclosure request

Training of employees in relation to the CCPA and possible changes in internal processes and

Provision of a toll-free service line for incoming CCPA requests

Many companies today have turned their users’ personal information into a lucrative business. In fact, many tech companies allow advertisers to reach users based on demographics, search history, and preferences. And most of the companies have been able to do what they please with consumer data – until now.

While compliance with this legislation may feel daunting, changes have been made to the law to simplify certain aspects. For example, HR information and personal data related to B2B communication are exempt from the law until 2021. Over the next few months, companies will be looking for Silicon Valley and major technology companies to take the lead in CCPA compliance – they have the money, manpower, and technology to do so compared to their startups. Colleagues.

Effects of this regulation on a larger scale

While there are country-specific notification laws that specify how companies should respond in the event of a data breach, Congress still has to pass federal laws that determine how companies should collect and use consumer data. With the entry into force of the GDPR last year, however, Europe is ahead when it comes to ensuring consumer protection. The GDPR is currently considered the gold standard (and the strictest) of data protection laws.

In the United States, the momentum for comprehensive state-level data protection laws is higher than ever. Shortly after the California Consumer Protection Act was passed in 2018, several states proposed similar consumer protection laws within their own borders. Nevada and Maine have already passed their own laws, while New York, Hawaii, Massachusetts and Washington are considering their own laws with varying degrees of austerity and impending entry.

In general, companies in the United States should use California’s new legislation to prepare for new regulations that may be enacted in their home state or at federal level. If properly implemented and included, this type of regulation can have a positive impact on both consumers and businesses.

Learn more about the CCPA here and access useful resources that can help companies adapt to and comply with new laws in good time.

Adam Prince, Vice President of Product Management, Compliance, Brexit and Migration, Sage

