CCPA Readiness for SMBs
If you’re responsible for any marketing automation tool, and/or if you’re on the management team for your company, you’ve probably heard of the California Consumer Privacy Act (CCPA) which has recently come into effect. However, you may not fully understand what the CCPA is and what it means for your business. Essentially, the CCPA regulates how you collect, process, store and use consumer data, putting more control in the hands of the consumers/subscribers.
How does this affect you, your company, and your subscribers? We’ll give you some high-level details to get you started with your compliance to this regulation, which took effect on January 1, 2020. If you conduct business with any consumers residing in California, ask yourself these three questions. If you answer “yes” to any of them, chances are, you’ll have to comply with the CCPA.
First: Is your revenue more than $25 M per year?
This includes any sole proprietorship, partnership, LLC, corporation, or other legal entity that is operated for profit and generates an annual gross revenue in excess of $25 million.
Second: Do you receive 50,000+ consumer records per year?
Does your business annually buy, receive, sell, or share for commercial purposes, alone or in combination, the personal information of 50,000 or more consumers, households, or devices?
Third: Do you derive 50% or more of your annual revenue from selling consumers’ personal information?
Does your business sell, release, or disclose personal information of California consumers to another business or third party for monetary means? If so, review if 50% or more of your annual revenue is generated by these transactions.
If you answered “yes” to any of the above:
For those companies who fall under the regulation of CCPA, here are action items to ensure you are complying with the law:
- Provide customers with a notice at or before collection of their data
- Disclose to consumers if you plan to sell or share their personal information
- Provide a “Do Not Sell My Info” option on your website for those individuals who wish to opt-out
- Respond to consumer requests to know, delete, or opt-out within certain time frames
- Maintain records of requests to validate your compliance with CCPA
If you answered “no” to all the above:
You are most likely not required to make drastic changes to your current business operations, however, it is still recommended that you ensure the security of your customer’s personal info. Data privacy should always be a top priority when conducting business, as it is highly valued by any customer. The Pew Research Center states that nearly half (49%) of Americans believe their personal information is less secure than it was five years ago. Therefore, it is beneficial not only for large corporations, but businesses of all sizes to enhance their privacy protections.
Adjusting your business practices to be compliant with CCPA will not only show customers that you care about their consumer rights, it will also set you up for success as future regulations continue to roll out nationally in the next few years. A solid step in ensuring preparedness for future consumer data regulations is to implement a formal information security program. Consider applying these procedures to increase data security within your organization:
- Evaluate the current state of how consumer data is processed by reviewing your existing privacy policies, notices and statements. Identify potential risks to customer data and develop a plan.
- Form a compliance team to help develop and implement your plan.
- Establish policies & procedures and evaluate your plan by testing controls.
- Rehearse incident response plans.
- Adjust the plan and maintain it through audit processes. This will ensure your plan stays current as data regulations within the U.S. unfold.
Compliance with the CCPA shouldn’t be a daunting task for anyone. Just as the GDPR set the standard for regulation of consumer data within Europe, the CCPA was created to protect California consumers’ rights within the United States. A recent study published by Risk Based Security revealed that data breaches have increased more than 50% over the last four years. This rise in security incidents has heightened awareness for stronger controls over privacy and data protection. As the data privacy landscape continues to evolve and we transition into a new era of regulation and compliance, it is important to keep your business practices and security measures up to date.