With 2019 coming to a close and the CCPA deadline for compliance a couple of days away, we wanted to revisit the law and some last-minute details to make sure that you are prepared for 2020.
Assess Whether CCPA Applies to the Organization
Does your organization need to comply with CCPA? Not all companies will find that they fall under the definition provided. The law specifies that businesses that do business in California, regardless of their headquartered location, and meet the following criteria must comply:
- Business that have annual gross revenues in excess of $25 million
- Businesses that annually buy, receive for the business’ commercial purposes, sell or shares for commercial purposes, alone or in combination, the personal information of 50,000 or more consumers, households, or devices
- Businesses that derive 50 percent or more of its annual revenues from selling consumers’ personal information
Review your Vendor Relationships
For a recap of how to prepare, revisit our blog where we discuss how to make sure your relationships with third party data complies with CCPA. Some steps that organizations can take to understand how to handle vendor relationships and prepare for CCPA are summarized below:]
- Create a list of all vendors and third parties that are receiving data from the organization
- Review any existing data maps which should include all the organizations that your business is sharing data with, as well as the purpose of sharing the data.
- Review contracts with all outside organizations to assess the rights the partner/vendor has to the data and determine if additional Privacy Impact Assessments will be required.
- Outline how third-party organizations are permitted to use the data, are they able to act as a data controller?
- Identify controllers and processors in contracts so you know who is the decision-maker when it comes to the data being shared among organizations.
Additional Check Points:
- Enable consumer requests, engagement and opt-out of data sales
- Make sure all employees are trained and know what to expect with CCPA.
Expect the CCPA to be Enforced
If you were hoping to wait until 2020 to see how CCPA unfolds in the new year, you may want to reevaluate and take steps to prepare quickly.
December has made it clear that California will not be taking the CCPA lightly. In response to requests to postpone the CCPA deadline, Attorney General Xavier Becerra said in an interview with Reuters, “We will look kindly, given that we are an agency with limited resources, and we will look kindly on those that … demonstrate an effort to comply. If they are not (operating properly) … I will descend on them and make an example of them, to show that if you don’t do it the right way, this is what is going to happen to you.”
With that bold statement and the announcement for the proposed California Privacy Rights Act, California is making a prominent display of just how seriously data privacy rights will be taken by the state, leading the way in this space.
One of the interesting pieces of the CCPA, and one that businesses need to be keenly aware of, is consumer’s Private Right to Action. In the new year we will be looking to see how California residents may exercise this right, what if any lawsuits may unfold, how companies will be responding, and the fines that will be paid. These lawsuits may originate from instances where their “non-encrypted or non-redacted personal information” is breached, or if they feel that their data has not been handled according to accepted agreements. Under the CCPA, consumers can collect between $100 and $750 for each event. If the damages are greater than $750, then the consumer may receive even more.
This all means that California is taking this law very seriously. If you would like more insight into CCPA, take a look ar our previous series on the topic here. We at Validity will continue to keep you updated on the ever-evolving data privacy space and wish you a Happy New Year!