Much has changed due to the Covid-19 crisis. But one thing that’s remained unchanged is the California Attorney General’s plan to begin enforcing the California Consumer Privacy Act (CCPA) on July 1.
With everything business leaders have to worry about right now, CCPA regulations can easily become an afterthought. After all, why worry about data privacy when you might not have a business come July? But it is more important than ever that companies familiarize themselves with the impending regulations and adjust their data security practices accordingly. Click here to find out if the CCPA applies to your business. If it does, read on to find out what you need to do before July.
This means that a business must now provide a clear and comprehensible notice of collection and intent at the moment a business begins collecting personally identifiable information (PII) from a consumer. Fifty-pages of unintelligible legal jargon does not count.
How to Write A Notice of Collection
Ensure your notice is:
- Readable across multiple platforms (mobile, laptop, tablet, etc.)
- Available in languages consistent with the contracts provided in your ordinary course of business
- Accessible to those with disabilities
- Includes the following:
- The consumer’s right to know about information collected, disclosed or sold
- The right to request deletion or opt-out of the sale of personal information
- If a financial incentive is being offered in exchange for allowing PII to be sold
- Contact information for questions or concerns
- The date the notice was last modified
- Cram your notice with technical language or legal jargon
What Else Will be Enforced?
While many elements of the CCPA have come and gone across alterations and the final regulations are still unconfirmed, here are some other regulations that will most likely be enforced in July based on their consistent appearance across all drafts of the act.
Consumers must be able to submit requests to opt-out of data collection and requests for the deletion of existing personal information. Consumers must be given two or more methods for submitting deletion and opt-out requests. These requests must be acknowledged in 10 business days and given a response in 45 calendar days. Businesses must verify the identity of customers submitting a request to know or delete, while requests to opt-into the sale of personal information must adhere to a two-step process in which the customer submits a request, and then the business confirms the request via a separate channel (similar to two-factor authentication).
And don’t forget that the CCPA will also hold businesses accountable for how they handle data security internally. Employees and contractors must be appropriately trained on the requirements of the CCPA regulations. Retention schedules and policies must be updated in anticipation of consumer requests for information.
Finally, “reasonable security measures” must be put in place to transmit personal information. This should at the very least include data encryption, and best practices also recommend anonymizing or pseudonymizing data – so that in case of a breach, the data cannot be associated with its owner.
Don’t Wait Until July! Prioritize Compliance Today.
Needless to say, adjusting your policies to comply with the CCPA will be a laborious endeavor. However, failing to act now will carry steep monetary and regulatory consequences. Though the attorney general is holding off until July, consumers are not. A recent class-action lawsuit involving Zoom has highlighted the fact that companies can already be held accountable under the CCPA’s private right to action clause, which allows consumers to sue for statutory or actual damages resulting from a data breach. Consumers may seek between $100 and $750 per violation.
And breaches aside, failing to comply with the CCPA will be costly. Come July, the attorney general will be allowed to issue fines up to $2,500 per negligent violation and up to $7,500 for intentional violations. Invest the money now to avoid steeper costs down the line.