What the CCPA Means for Your Business in 2021

In June 2018, the California legislature passed a landmark privacy bill that created significant new data protection obligations for organizations and new privacy rights for individuals in California. 

This law became known as the California Consumer Privacy Act (CCPA), the most comprehensive privacy law in the United States to date and designed to give Californian consumers more control over their personal information.   

Key provisions of the CCPA include the following data protection measures for consumers:

• Right to access information - access to the "what, who, and why" of their personal information.

• Right to deletion - ability to request that an organization deletes personal information which has been collected about them.

• Right to opt out - ability to direct the organization to not sell their personal information to third parties.

For CCPA to apply, the for-profit organization must do business in California and collect personal information of California consumers. You do not need a physical presence. The organization must also meet one of the conditions below:

• Generate annual gross revenue more than $25 million;

• Buy, receive, sell, or share personal information of over 50 thousand consumers, households, or devices; or

• Earn at least 50% of its annual revenue from selling consumers' personal information.

What types of information are exempt from CCPA requirements?

It’s important to know that not all information falls under the watchful eye of the CCPA. Certain categories are carved out from the law’s requirements. For example, data already regulated under federal laws may be exempt, including medical information governed by HIPAA, financial records covered by the Gramm-Leach-Bliley Act (GLBA), and consumer credit details under the Fair Credit Reporting Act (FCRA).

Additionally, publicly available information (think details lawfully obtained from government records) isn’t protected by the CCPA. However, it's worth noting that these exemptions do not apply to CCPA’s data breach liability provisions, so organizations should still take proper care when handling any personal data.

The Grace Period

Even though the CCPA went into effect on January 1, 2020, there was a six months grace period for applicable organizations to prepare its privacy policy and enhance their data ethics and compliance programs before enforcement takes effect on July 1, 2020.

With the grace period over, the enforcement is now in effect and California's Office of the Attorney General can impose penalties for infractions. Depending on the severity of the infraction and number of violations, enforcement actions could range from an injunction (minor) to financial penalties (more extreme).

The cost for non-compliance is high, whether voluntary or involuntary. The CCPA Enforcement states: "any person, business, or service provider that violates the CCPA shall be subject to an injunction and be liable for a civil penalty."

If the organization knowingly disclosed consumer personal information, the penalty is $7,500 for each intentional violation. If the organization unknowingly violates the CCPA, the penalty is $2,500 for each violation.

It is important to note that each violation relates to each individual record an organization possesses. As you can see, the financial penalties can add up if you have a database with thousands of records.

In addition, the CCPA grants a private right of action to individual Californians. Consumers can initiate civil action against the organization for up to $750 per incident or the cost of the actual damages (whichever is greater). The onus will be on the organization to demonstrate that it has implemented reasonable security practices and privacy protection measures.

The Quick Wins

With the CCPA enforcement upon us, it is now more crucial than ever to validate your compliance programs. If your organization is not compliant now, you need to get up to speed as quickly as possible. But most importantly, do not panic.

With a focused effort, you can hit the ground running and start putting some of the requirements in place. Here are some low hanging fruits to get you started:

• Make sure your leadership team knows what CCPA is, why it is important, and what resources would be required from the organization from the remainder of 2020 and beyond.

• Update your privacy policy and notices on websites to include detailed disclosures on how you collect, use, or share personal information; a description of rights of consumers and how they can exercise them. Share this with your third-party vendors.

• Inform and educate your customer facing staff on how to recognize such requests (e.g. a copy of personal information you have on them; request to delete or opt out of the sale of their personal information, etc) and where to send them when they come in (e.g. a dedicated privacy email address such as privacy@companyname.com).

• Create an opt-out option on your website so that consumers can request to be forgotten.

Building a Personal Information Inventory

To effectively align your organization with CCPA requirements, one of the first major steps is to develop a comprehensive personal information inventory. This process involves more than just cataloging data—it’s about understanding the entire lifecycle of personal information within your company.

Start by mapping out where personal information enters, moves through, and is stored across your business. This includes identifying all applications, databases, and third-party systems that handle data capable of identifying, describing, or reasonably being linked to a consumer or household.

Here are some practical steps to guide your inventory-building process:

• Catalog Data Sources: List out all data sources—customer records, website forms, employee files, marketing databases, and any other channel where personal data is collected.

• Map Data Flows: Create diagrams or flowcharts tracing how personal information travels through your systems, who interacts with it, and where it ultimately resides.

• Document Data Types: For each data source, note the types of personal information collected (e.g., names, email addresses, purchase history, device identifiers).

• Identify Storage Locations: Record all physical and digital locations, including cloud environments and vendor platforms, where personal information is stored.

• Assess Access Points: List who has access to each type of data, internally and via external vendors or partners.

Remember, under the CCPA, safeguarding information that can be linked to an individual is not optional. By establishing a thorough inventory and maintaining accurate records, you place your organization in a strong position to respond to consumer requests and regulatory inquiries—and ultimately, to protect both your customers and your business.

Leveraging Automation Platforms for Compliance

Keeping up with data requests, managing privacy policy updates, and reacting quickly to incidents can quickly get out of hand if you’re trying to do everything manually. As CCPA requirements become embedded in day-to-day operations, automation platforms have stepped forward as indispensable tools.

Here’s why automation should be on your radar:

• Efficiency and Accuracy: GRC platforms streamline repetitive compliance activities—like tracking consumer requests to access or delete personal information—minimizing human error and reducing turnaround time.

• Continuous Monitoring: Automated compliance tools handle ongoing monitoring and reporting, so you can stay ahead of potential gaps without needing to conduct frequent, resource-heavy audits.

• Centralized Documentation: Automation helps keep all compliance-related evidence and activities organized. When the Attorney General comes knocking, having a clear record of your efforts can make all the difference.

• Risk Management: Many platforms come equipped with built-in risk assessments, automatically updating your compliance status as your systems and data evolve.

• Scalability: As your business grows, so does the complexity of your obligations. Automation solutions adapt easily, ensuring your compliance program is always up to the challenge.

Investing in automation not only simplifies your journey toward CCPA compliance, but also frees up resources so your team can focus on higher-value tasks, rather than getting bogged down in administrative details.

The End Game

Over the longer-term horizon, a more robust privacy program is necessary to address a law as complex and detailed as the CCPA. This track will focus on everything you need to do to implement and maintain CCPA compliance. The list highlights core phases, but is not intended to be exhaustive:

1. Perform Assessment of Current State - map existing processes and data flows against CCPA requirements, understand the impact and key stakeholders.

2. Build Awareness and Alignment - identify resources to address the required changes.

3. Design Blueprint of Future State - create a detailed roadmap of your CCPA journey.

4. Develop and Implement - design and deploy new policies, processes or tools needed.

5. Monitor - implement an oversight function to monitor and enforce CCPA compliance.

For more information on the CCPA, refer to the State of California Department of Justice's website. If you're looking for a GRC tool to help manage compliance to the CCPA and other similar cybersecurity frameworks, reach out and lets discuss next steps.