European-style data protection standards are coming to California.
Just as businesses around the world finish scrambling to comply with GDPR – the General Data Protection Regulation – enterprises that do business in California face a whole new challenge.
The California Consumer Privacy Act (CCPA) will be effective January 2020 and provoke sweeping changes to the way data from California consumers may be collected and used.
Although the law will technically only apply to personal data collected about consumers in California, the changes are so significant many large enterprises are taking the opposite tack: That is, developing a new privacy regime with end to end CCPA compliance baked in.
Here’s how you can prepare.
Figure Out if You’re Affected
Enterprises with any customers in California should be alert to the new standards.
You are affected if any of the following applies to you:
- You have an annual revenue of at least $25 million.
- You buy data on 50,000 households, individuals, or devices.
- At least 50% of your annual revenue comes from protected consumer data.
Get Ready for a Slew of New Demands
California consumers now own their data – yes, the same data you work hard to collect, cultivate, and contain – the entire time it’s in your possession. That means you need to be ready to field a whole bunch of new requests they might make relating to their property.
Start planning how you’ll do the following:
- Share exactly what information you’ve collected on any given consumer.
- Disclose the full list of parties to whom you’ve provided or sold that data.
- Cease all sale of a given consumer’s personal data (“the right to opt out.”)
- Delete their personal information from data systems under your control.
- Provide equal service (and price) to any consumer who invokes these rights.
There is one bright spot: Unlike GDPR, which requires Europeans to affirmatively opt in for data collection, U.S. businesses will be able to continue their baseline analytics activities without opt-in. That means, for example, you can continue to monitor Web traffic as it reaches your site.
Take Basic Actions Right Away
These steps will get you off to the right start with CCPA:
- Discuss your obligations with your legal counsel.
- Determine what data you collect and how you store it.
- Ensure personal data is either encrypted or redacted.
- Review or define data management policies and roles.
- Update your privacy policies for CCPA compliance.
- Implement explicit opt-in gateways where appropriate.
- Design a strategy to communicate policies to consumers.
- If needed, hire a Chief Privacy Officer (CPO).
CCPA adherence makes an organization more trustworthy in the eyes of prospective customers. The sooner you begin, the easier it’ll be to adjust without any interruptions in service.