Compliance is Now
The California Consumer Privacy Act is rolling in with an effective date for penalties on July 1, 2020. Many businesses, including a coalition of more than 60 business and trade groups, asked for a delay due to the current situation facing the country with the Coronavirus pandemic. However, California Attorney General Xavier Becerra said no. In fact, Becerra's office released this statement regarding their decision. "CCPA has been in effect since January 1, 2020. We're committed to enforcing the law starting July 1. We encourage businesses to be particularly mindful of data security in this time of emergency."
There is some confusion due to some last-minute changes and decisions regarding the law, as the AG's office did not submit its final CCPA rulemaking package until June 1. The California Office of Administrative Law was given an extension of 90 days to approve the changes, typically done in 30 days, due to the pandemic. Governor Gavin Newsom requested this extension, but the AG Becerra asked for an expedited review.
These changes leave many businesses scurrying to get their data in line to meet the guidelines as the effective date of July 1, for impending steep penalties, will still stand. There are provisions in this new law that makes changes to how businesses handle the personal data of Californians dating back to January 1, 2019.
Many major corporations will likely be stuck with penalties in the upcoming months as they tweak their data systems to meet the new law's obligations. Some of these businesses include Facebook, Amazon, Google, and Walmart.
Many companies, including several major ones, had approached Attorney General Becerra's office, asking if he would provide them with a 'quality seal' of some kind, demonstrating they are CCPA compliant. This seal of approval from the government would endorse the company's data management system and certify that it met all state law requirements. Becerra's answer was a firm no.
Becerra had this to say about the requests for the seal. "Within such an evolving field, how do you make sure that everyone is conforming to what the seal represents?" Becerra did confirm that his office would try to work with companies that can show that they have made a good-faith effort to meet all of the legislative requirements of the law.
Are You Ready? Time's Up.
The sixth month grace period is over. As seen from the view of the AG's office and the residents of California, businesses have had ample time to prepare and warning of the consequences. Delay is not an option.
The CCPA was initially passed in 2018, giving businesses a two-year start to prepare for the launch of its effective date. Even with that, the law included a six-month interim for everyone to work out any hiccups in their data systems before the time in which enforcement would begin. If you're not ready now, you need to look at your business structure and see what went wrong. The penalties for noncompliance can be severe.
Unlike the General Data Protection Regulation in the EU, the CCPA has penalties that allow the consumer to sue for mishandling their information. If a major company were to get hit with a significant data breach, they could not only be fined by the state for their negligence but also have to shell out $2500 to every consumer. A substantial breach could very well put some business out of commission.
Steps to Prepare and Maintain
There are many things that a business can do to help ensure their successful compliance with this new legislation. One way is to understand and develop a trail of the consumer data that they handle. Knowing how the data is input, distributed, and destroyed to the end of its life-cycle is a crucial path to comprehending your risks.
Find out where and who within your company handles any personally identifying information or PII. On your flow-chart describing the life-cycle of your data, put endpoints of discovery at each variation. If you have one department in charge of inputting the information, then make that a point on your chart. Another point would be knowing who is handling or using the data within the company; various endpoints may be discovered depending on how data is used. Then find out who or what department is directed in the destruction of the data. End to end, you need to know how it flows through your hands.
Plan an assessment. An example would be the department that takes in all the consumer PII. Do you trust these employees with the data? There can be bad actors in any group, but have you done necessary background checks? Have you taken any additional steps to ensure their trustworthiness? Do you treat them well and worth their weight in your company? Disgruntled employees can also be an area that can create havoc on the business model. Treat them the way you would want to be treated, respectfully, and pay them their value. A worker who is happy in their job will work that much harder to protect it, and the company where they work.
Plan a security sweep of the department. Where is the data located? Is it going directly into the data system? Are there individual files spread out through the department or held in employee desks? Do employees write the information down? Each office, each desk must be reviewed, and it will only take one mistake to fall. A considerable breach can dissolve some business models, and you don't want to take that risk. It is not about what your employees think here; this is a security drill. Be sure they understand it as such, and let them know that there will be unannounced security drills in their future. Make it part of the plan.
Even employees who casually take a few notes to help them get through the day, it needs to be noted, and then explained how to destroy this information at the end of the day carefully. A harmless act can put your company at risk. Tossing scrap paper with detailed information scribbled on it in the wastebasket can wind up in the wrong hands. The liable party will be your company.
If you understand where PII resides within your company, you can take charge of unsecured endpoints and mitigate any future failure or breach. It is also ideal, if possible, for companies to limit who has access to what forms of data kept on each consumer. Once the data is put into the system, does everyone need access to the consumer's payment information? Even those who can take care of basic customer service requests can verify accounts without handling payment information — limit who gets to see what. One way to do this is to use quality data redaction software, like the one that CaseGuard offers.
Who is Responsible?
Once the new legislation is explained, and data check-points have been set up and cleared, who is responsible for the PII? Compliance is everyone's responsibility. Every member of your team should have this at the forefront of their thinking process. Having a compliance officer can help delegate tasks, but it still falls on everyone in the company to follow the procedures to protect the data. Should your plan fall short, or an employee fails to understand or be adequately trained, ultimately, the responsibility falls back onto the company in the way of lawsuits, state penalties, and individual consumer fines.
Give Consumers Control
To comply with the new legislation, your consumers must know and understand their rights regarding their personal data being used or stored by your company. One way to help get this across is to educate your consumer base. Tell them. Give them the options required by the new laws and make them easy to access. Some of the new requirements in the CCPA for consumer rights include:
- The right to know. Explain to your consumers upfront on what personal information is being collected, used, shared, or sold. Also, be sure they understand what types of PII the business has collected on consumers over the previous 12 months.
- The right to request the deletion of PII.
- The right to opt-out of the sale of PII.
- Do not discriminate against any consumer for exercising any of their rights. If they don't wish you to store their data, just don't, and move on. It belongs to them, ultimately.
If You Don't Comply
It would be in the best interest of your business to get on board. July 1, 2020, is the day that the California AG and all of California's residents will have an opportunity to hold your company to account. Severe financial penalties will now follow failure to comply. There can be lawsuits, state, and consumer fines. For a company handling large amounts of consumer data, a single breach can cost them $2500 per consumer.
The attorney general's office does not listen to complaints of last-minute changes or troubles due to outside events such as the Coronavirus. AG Becerra believes that Californians need to be protected in light of current events more now than ever. His office released a statement-making their conclusion clear. They will prosecute. "To the extent that the regulations require incremental compliance, the OAG may exercise prosecutorial discretion if warranted, depending on the particular facts. Prosecutorial discretion permits the OAG to choose which entities to prosecute, whether to prosecute and when to prosecute."
It will be their decision and the decision of the consumers who feel violated by any noncompliance issues. Pull it together; it starts July 1.