Is your company prepared for upcoming data privacy regulations? Would it be compliant if it took effect today?

Data privacy has become an alarming, omnipresent issue due to misuse of personal data and massive security breaches on a global scale. In response, regulations have been enacted both domestically and abroad to counter these issues by holding businesses more accountable.

Data privacy is not highly regulated in the United States – however, that’s beginning to change. Several states, as well as the federal government, have been actively discussing and pursuing new legislation to account for data privacy and to curtail further transgressions.

In June 2018, the state of California passed the California Consumer Privacy Act (CCPA), which will be effective January 1, 2020 and enforceable July 1, 2020.

What is the California Consumer Privacy Act?

The CCPA is a bill that enhances data privacy rights and protection of California residents – but it also has widespread implications on all businesses and the future of data privacy regulation.

The purpose of the policy is to invoke more stringent data guidelines for companies, which must demonstrate the ability to properly monitor and defend consumer data.

Any business that meets any of the following criteria will be required to comply with the CCPA:

  1. Earns greater than $25 million of annual gross revenue.
  2. Collects personal information from 50,000 or more California consumers, households or devices.
  3. Derives 50% or more of its annual revenues from selling consumers’ personal information.

CCPA infractions will be enforceable by the state’s Attorney General and individual consumers. The Attorney General may seek civil penalties between $2,500 and $7,500 per violation, depending on whether the violations were intentional or unintentional. Any consumer whose personal information is breached may seek civil action to recover damages of at least $100 and up to $750. Note that the CCPA dictates that companies have a 30-day cure period to rectify violations that are presented on an individual or class-wide basis.

Consequently, in the event of a massive data breach in which hundreds of thousands of individuals’ personal information is compromised, liable companies are at risk of paying millions of dollars in damages.

If your company is a Financial Institution (FI), it’s very likely that it will still have to comply with the CCPA – despite already being subject to the Gramm Leach Bliley Act, which is a federal law that requires FIs to explain how they share and protect their customers’ private information. This is because the CCPA has a much broader definition of personal information: “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”

The CCPA’s definition cites many specific examples of information, such as email addresses, records of personal property, purchase history, browsing history, geolocation data, and biometric data. Further, any information used to create a consumer profile – a common marketing technique (e.g. targeted online advertising) – would fall under this definition as well.

Why was the CCPA enacted?

Data has become its own business. Corporations can collect and manipulate personal information (anything from buying habits, personality traits, health, and financial information, etc.) to concentrate marketing efforts and product offerings and meet the needs of their customers. Identifying trends, maximizing conversions, increasing profit margins – there are many reasons for businesses to collect and analyze data.

However, the accumulation of such valuable personal data has left it susceptible to misuse and hacking. The CCPA specifically references Cambridge Analytica’s misuse of tens of millions of peoples’ personal data in March 2018. Further, there have been multiple instances of massive global data breaches in just the last two years (e.g. Equifax, Facebook, Marriott), impacting hundreds of millions of people. The unauthorized disclosure of personal information – whether from misuse or breaches – can have devastating impacts on affected individuals, such as financial fraud, identity theft, reputational damage, emotional stress, etc.

These events have led to the push for more regulation (such as the CCPA), as data privacy legislation is largely outdated and – for many industries – nonexistent.

The purpose of the act is to hold businesses accountable, maintain transparency, and revert power over personal data back to the consumer. The CCPA will protect and empower Californians by granting them the following rights:

  1. To know what personal information is being collected about them.
  2. To know whether their personal information is sold or disclosed and to whom.
  3. To say no to the sale of personal information.
  4. To access their personal information.
  5. To equal service and price, even if they exercise their privacy rights.

Under the CCPA, consumers in California will be able to not only request what personal information is on record and how it’s being used, but also request that it not be sold or that it be deleted altogether. This has significant ramifications on how businesses handle data.

The key business impacts of the CCPA – and how to prepare for them.

The CCPA is arguably the strictest regulatory action with respect to data privacy and control to date – plus it sets far-reaching precedence for future state, federal, and international regulations. As the act’s January 2020 effective date nears, your company must prepare for the business impacts of the CCPA. Here are a few ways to prepare for the CCPA:

  1. Have a business unit in place. It’s imperative for your company to not only have a seamless process blueprint in place by 2020 but also a capable business unit that can field customer inquiries and requests. As additional states roll out their own privacy regulations, the number of requests will increase exponentially and must be planned for accordingly.
  2. Understand your data’s physical location and flow. To be able to field your customers’ inquiries/requests, your company will need to be able to pinpoint where data resides and where it flows to and from.
  3. Implement intracompany controls. To be CCPA compliant, several of your company’s departments may need to be involved – such as IT, Compliance, Customer Relations and so on, depending on your company’s structure. Therefore, it will be critical to have intracompany controls in place to ensure a seamless process and that each department is on the same page.

Maintain comprehensive and current compliance policies. The CCPA is only the beginning. It’s important to refresh compliance policies to keep them tailored and applicable to each state as further regulatory actions are taken.