Businesses must ensure that consumer data is kept private today.
The reason is that consumers are more concerned about the data they give to businesses. They want to know how the data is used and if it is being misused by unknown third parties.
This awareness can be credited to the CCPA compliance laws, which took effect in 2020. Californian business owners began to iron out their compliance strategies to maintain their customers’ trust as well as their reputation. The lawsuit against Zoom was a wake-up call for many companies. It involved sharing the personal information of their users with Facebook.
Let’s discuss the law and what you can do to ensure your business is compliant with the CCPA.
What’s CCPA?
California Consumer Privacy Act (CCPA), a law that requires California-based businesses to give notice to their customers and allow them to choose how they want to handle their data, is the California Consumer Privacy Act.
Consumers can now request access to information such as what personal data is collected, how it’s used, and who has access. Companies must also obtain consent before selling or sharing this data with third parties.
It also means that there are no tracking cookies or ad targeting and that your data is not shared with any third parties or affiliates without your explicit permission.
After years of lobbying for better consumer privacy protections in the United States, the CCPA was finally passed in 2012. The CCPA became effective in 2020 and gave California residents greater control over their data. This gives consumers more choices when companies such as yours collect data.
Here are some examples of privacy rights:
- You have the option to opt out of your name being added to any marketing list
- You can request that your data be deleted from their databases
- To exercise your CCPA rights, you have the right not to be discriminated against
How can you determine if CCPA applies to your business?
If you are a for-profit company in California, it is important to know that CCPA must be adhered to by all:
- The business operates in California or sells to California residents.
- The annual gross revenue is $25 million
- The company has access to or buys or sells information from 50,000 Californians or more
- Californians’ personal information is responsible for at least 50% of the annual revenue of a business.
Penalties for failing to comply
The law regulators will notify a business if it isn’t in compliance with CCPA and give them a 30-day deadline to comply. If they don’t abide by the laws, they will be fined up to $7500 per record.
Are you already GDPR-compliant and need CCPA compliance?
Even if your GDPR compliance is met, that doesn’t automatically make you CCPA-compliant. Although they may appear similar on the surface, they have different requirements and audiences.
Osano: CCPA and GDPR explained
It is important to know that CCPA is an “opt-out” regulation and GDPR is an “opt-in.” Under GDPR, users must consent to the sale of their data to third parties. CCPA, however, requires users to modify and access their consent.
GDPR also set security policies that encourage organizations to take technical measures to ensure data security. CCPA, on the other hand,d is about getting consent from your customers. Read Osano’s guide to learn more about the differences between CCPA (and GDPR).
It is important to understand which data privacy laws and security laws apply to your business. It is determined solely by where the business is located and how much it generates revenue. Let’s suppose your business is located in the EU or not and serves EU residents. In this instance, you will need to adhere to GDPR.
How can a business be CCPA-compliant?
1. Be aware
To determine if CCPA applies to your business, you should first learn about the laws under CCPA. If you are unsure if CCPA applies to your business, you should still comply. It is better to be safe than sorry.
Discuss the matter with your top management and board. Let them know the importance of CCPA compliance. Also, let them know the consequences of not complying.
Hire a dedicated staff to handle compliance with the CCPA and continuously monitor and measure data security risks within your company.
2. Perform gap analysis in the organization
Before you begin the compliance routines, make sure you are clear about the customer data that you have and where it is stored. Also, be clear about who can access it.
These are the steps to effectively conduct a gap analysis.
- Check out the financial statements of your company or an annual report.
- Identify the group of customers, prospects, job candidates, newsletter subscribers, and employees from which you are collecting data.
- If applicable, understand your current data privacy practices
- Which areas are you currently in compliance with?
- What areas aren’t covered yet?
- Consider whether you have a customer data platform. If so, is it secure?
This analysis will help you to create a plan for how you’ll comply with CCPA.
Likewise, you can also look for ways to make your vendors and employees happy.
Ask your employees if they have copies of customer data. If so, make sure you have them deleted. Ensure you know where receipts and other documents are kept and what happens to them.
You should know the consequences of sharing customer data with third-party vendors. Is it shared with anyone? If so, who has access to it?
3. Update policies
Review your current data protection procedures, methods, and policies after mapping personal data within your company. Once you are aware of your data privacy policies, you can update or create new policies if they don’t exist.
You must first verify that your data privacy policies are in line with the CCPA. This includes opt-out notices and opt-in notices.
Plan how you will respond to customer requests to delete or access information. Once you have the details figured out, share them with your employees so they can follow the guidelines. It is a good idea to keep all information regarding policies and procedures in one place so that all employees can refer to it.
Publish a privacy page on your website, which should include all of the policies and rules your organization follows to comply with CCPA.
Please elaborate on the following policies.
- Information you gather from customers and visitors
- Which method do you use for collecting their information? Email, chat, phone number, etc
- You don’t need certain information, such as their date of birth and marital status.
- What are you going to do with the data you have gathered?
- Who do you share your information with?
- What rights do your visitors and consumers have under the CCPA?
- What purpose will you sell their data, if any?
4. Training for compliance among employees
You must also ensure that all staff involved in CCPA processes receive proper training. This includes those who answer clients’ privacy questions.
Keep those with access to your private information on servers and computers and in the cloud informed about the CCPA requirements and any privacy policies that your company has. Training sessions should be provided for all who request them. Also, communicate with the CCPA any changes that may have been made over time.
5. It should be made clear to your customers
This is especially important for online shoppers and website visitors. Keep your customers informed about the security precautions you take to ensure their trust.
Send cookies consent notifications
Before collecting any personal information, ask the customer for their consent. Let them know that you are doing so. When they make a transaction on your site, send them a cookie notification.
The following is what the cookie notification usually displays.
- You will receive a notification letting you know that cookies are being used for certain purposes. They should see the complete list.
- The button allows the customer to confirm their acceptance of the cookie. You can also allow your customers to refuse the use of the cookie.
- This link will take them to your Privacy Policies page for more information.
Access/Delete personal information
A button or link that allows users to change their preferences should be displayed on your website. These options could be added to a payment page or form a list. Users can choose or deselect the information-sharing preferences they prefer and have full control over them.
To summarize
Phi Dang says that being CCPA compliant will not only help you avoid costly lawsuits and penalties but also build your customers’ trust. It will help you differentiate yourself from the rest and allow you to scale up your business!