The CCPA In 2021

CCPA In 2021_blog image_linkedin

In June 2018, the California legislature passed a landmark privacy bill that created significant new data protection obligations for organizations and new privacy rights for individuals in California. This law became known as the California Consumer Privacy Act (CCPA), the most comprehensive privacy law in the United States to date and designed to give Californian consumers more control over their personal information.   

Key provisions of the CCPA include the following new data protection measures for consumers:  

  • Right to access information – access to the “what, who, and why” of their personal information. 
  • Right to deletion – ability to request that an organization deletes personal information which has been collected about them.  
  • Right to opt out – ability to direct the organization to not sell their personal information to third parties.  

For CCPA to apply, the for-profit organization must do business in California and collect personal information of California consumers. You do not need a physical presence. The organization must also meet one of the conditions below:  

  • Generate annual gross revenue more than $25 million;  
  • Buy, receive, sell, or share personal information of over 50 thousand consumers, households, or devices; or 
  • Earn at least 50% of its annual revenue from selling consumers’ personal information.  

The Grace Period 

Even though the CCPA went into effect on January 1, 2020, there was a six months grace period for applicable organizations to prepare its privacy policy and enhance their data ethics and compliance programs before enforcement takes effect on July 1, 2020.    

With the grace period over, the enforcement is now in effect and California’s Office of the Attorney General can impose penalties for infractions. Depending on the severity of the infraction and number of violations, enforcement actions could range from an injunction (minor) to financial penalties (more extreme).  

The cost for non-compliance is high, whether voluntary or involuntary.  The CCPA Enforcement states: “any person, business, or service provider that violates the CCPA shall be subject to an injunction and be liable for a civil penalty.”  

If the organization knowingly disclosed consumer personal information, the penalty is $7,500 for each intentional violation. If the organization unknowingly violates the CCPA, the penalty is $2,500 for each violation.  

It is important to note that each violation relates to each individual record an organization possesses. As you can see, the financial penalties can add up if you have a database with thousands of records.  

In addition, the CCPA grants a private right of action to individual Californians. Consumers can initiate civil action against the organization for up to $750 per incident or the cost of the actual damages (whichever is greater).  The onus will be on the organization to demonstrate that it has implemented reasonable security practices and privacy protection measures.  

The Quick Wins  

With the CCPA enforcement upon us, it is now more crucial than ever to validate your compliance programs.  If your organization is not compliant now, you need to get up to speed as quickly as possible. But most importantly, do not panic.   

With a focused effort, you can hit the ground running and start putting some of the requirements in place. Here are some low hanging fruits to get you started:  

  • Make sure your leadership team knows what CCPA is, why it is important, and what resources would be required from the organization from the remainder of 2020 and beyond.   
  • Update your privacy policy and notices on websites to include detailed disclosures on how you collect, use, or share personal information; a description of rights of consumers and how they can exercise them.  Share this with your third-party vendors.  
  • Inform and educate your customer facing staff on how to recognize such requests (e.g. a copy of personal information you have on them; request to delete or opt out of the sale of their personal information, etc) and where to send them when they come in (e.g. a dedicated privacy email address such as privacy@companyname.com).  
  • Create an opt-out option on your website so that consumers can request to be forgotten.  

The End Game   

Over the longer-term horizon, a more robust privacy program is necessary to address a law as complex and detailed as the CCPA.  This track will focus on everything you need to do to implement and maintain CCPA compliance. The list highlights core phases, but is not intended to be exhaustive:  

  1. Perform Assessment of Current State – map existing processes and data flows against CCPA requirements, understand the impact and key stakeholders.  
  1. Build Awareness and Alignment – identify resources to address the required changes.  
  1. Design Blueprint of Future State – create a detailed roadmap of your CCPA journey.  
  1. Develop and Implement – design and deploy new policies, processes or tools needed.  
  1. Monitor – implement an oversight function to monitor and enforce CCPA compliance.  

For more information on the CCPA, refer to the State of California Department of Justice’s website.  If you’re looking for a GRC tool to help manage compliance to the CCPA and other similar cybersecurity frameworks, reach out and lets discuss next steps.