As big data gets bigger, regulators have begun to crack down on what companies can do with users’ private data. One of the most recent pieces of legislation regarding data is the California Consumer Privacy Act, or CCPA. CCPA compliance is not particularly complicated, but if done wrong, it could cost your company millions of dollars or more.

What Is the CCPA?

The CCPA is California’s answer to the European GPDR. Drafted in 2018 and debated for two years, it was finally approved on January 1st, 2020, and enforcement began on July 1st. It establishes several rights for California residents, such as the right to transparency regarding their data and the right to deny a business access to that data.

Failure to follow CCPA guidelines can result in extremely large fines of up to $7,500 per individual record. Since most companies keep data on a large number of users, the fines can add up very quickly. So, how do you know if your business needs to be CCPA compliant?

CCPA complianceWho Does the CCPA Apply To?

The law specifies that any business that meets one of the following three conditions is subject to the CCPA:

  1. Your business has annual gross revenues in California in excess of $25M
  2. Your business handles data of 50,000 Californians or more
  3. More than half of your revenue comes from selling consumers’ personal information.

Your business does not have to be based in California to be subject to the CCPA. In fact, you don’t even need to have a local office or registered address in California. If any of the three conditions are met, you need to adhere to CCPA compliance guidelines.

Make sure to keep up with changes to the regulatory landscape, however. Currently there are several amendments to the CCPA which will be decided on the November 2020 ballot. These include increasing the 50,000+ California resident portion of the CCPA to 100,000 or more California residents. If adopted, the new ballot initiative will go into effect on January 1, 2023. In addition, other states are in the process of creating their own versions of data privacy regulations. In the meantime, if you meet one of the above 3 requirements, your business is subject to CCPA enforcement.

4 Steps to CCPA Compliance

What changes do you need to make to your business to ensure that it is compliant with the CCPA? Each of these steps corresponds to the various rights consumers have been granted under the new legislation.

1. Respect the Right to Disclosure

Transparency is the backbone of the CCPA and should be the first place where you make changes.

Therefore, the first step to CCPA compliance involves the right to disclosure and creating transparency on your website. The law requires you to proactively inform consumers about your data gathering practices. This notice must be given either before or at the point of data collection. For example, if you have a website for your business, you should use a pop-up to let people know that if they use your website, their data will be collected.

In addition, you should include a link to your privacy policy, which must be updated annually.  That privacy policy must inform consumers of the types of personal information collected about the consumer, the sources of  that information, the business purpose of collecting that information, the categories of third parties the information will be shared with, and specific pieces of personal information collected about the consumer.  The business must also provide a description of the consumers’ rights. Businesses are prohibited from collecting additional categories of personal information and using those new categories for purposes other than those disclosed in the privacy policy.

2. Give Opt-Out and Deletion Information

The CCPA also gives consumers the right to deny businesses the ability to sell their data. Therefore, you need to provide an opt-out system for users. It also gives them the right to have their data deleted upon request. Let’s look at both of these separately.

Opt-Out of Data Sales

Data Privacy Laws: What You Need to KnowIf you sell data to other companies, then you must give consumers a way to opt out of data sales. You can make a simple form for users to fill out or set up an email account to handle these requests. The link to this form needs to be relatively accessible. Ideally, you can link to it in the privacy policy.

If you don’t sell data, but you use it for your own marketing, you still need to provide an option to opt out.

Right to Be Forgotten

With few exceptions, you must respect any request to delete any data that you have on a particular individual. You can create a simple online Data Subject Access Request (DSAR) form that the user can submit to request their information be deleted and share the contact information for the department that processes those requests. Unless you have some legal obligation to the consumer, such as needing their home address to ship them a product, you must comply with the right to be forgotten.

Best practices recommend sending the client a report of what was deleted for maximum transparency. However, this isn’t strictly required by the law. Although users have the right to request a report of what data you have on them, unless specified in the deletion request, a simple notification is sufficient.

3. Implement Smart Data Management

In order to actually respond to any DSAR requests under the CCPA, you need to know what data you have and who else has access to it. If a user sends a data request, not only do you have to divulge all the data points you have on the user, but you must also note any third parties that have access to that information. Locating this specific data quickly and inexpensively, however, is a challenge for many organizations. A data intelligence and automation tool like Aparavi can produce 300% faster searches while saving costs and reducing human error.

CCPA’s Definition of Private Data

What constitutes private data? The CCPA defines personal information as information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.

This means that virtually any point of data can qualify as long as you have a way to reasonably link it to a specific consumer.

So, you need a system that can manage all of your data with minimal fuss. Regardless of how sprawling and chaotic your data may be, and regardless of where it’s stored, The Aparavi Data Intelligence & Automation Platform makes it easy to find relevant data quickly.  Data privacy regulations, including CCPA, are updated automatically, and one single open platform enables you to capture, manage, retain, and deliver content.

4. Create a System to Handle Customer Requests

Finally, your business needs a department and processes to handle client requests. You will need employees who can handle this task properly, as reports must be delivered within 45 days of a request.

Discover data & automate classificationUsing an advanced data management system like Aparavi can save you time and ultimately money. If your data is disorganized, your ability to handle consumer requests is going to be severely limited. Not only does Aparavi connect all of your company’s unstructured data in one data lake, it also makes that data searchable with an easy-to-use query builder that can create reports based on individual data privacy policies, like the CCPA.

Aparavi makes it easy to locate consumers’ personally identifiable information (PII) and understand where that information lives in your organization, whether on-premises, cloud, edge or endpoints. In addition, if that information lives somewhere that is subject to increased security risks, you can locate it and move the data to a secure storage location.

Know Your Data and Put It to Work

If you don’t have a handle on your data, contact Aparavi today. We turn data chaos into data opportunities with our data intelligence and automation platform, simplify your CCPA implementation, and open up new opportunities for your business today.