top of page
  • Writer's pictureSpocy

Is your business California ready? CCPA Enforcement

California Consumer Privacy Act (CCPA) coming in enforcement from 1 July 2020 which gives rights to California Consumers to know about and control the personal information that businesses collect about them. Moreover' it provides consumers the ability to bring a civil suit if their personal information is subject to the data breach.

It is important to understand the CCPA’s 12 months “Look Back” requirement where businesses may need to reveal how they have practiced the due diligence in maintaining the Privacy throughout last year.

CCPA is applicable to the businesses having one of the following characteristics:

  1. Has annual revenue of more than $25 Million

  2. Achieve 50% of their annual revenues from selling consumer’s personal information

  3. Operates in California

  4. In combination or alone, buys sell or share the personal information of 50,000 or more consumers, households or devices for business’s commercial purpose

How it’s different from GDPR?

  • Grants consumer the right to opt-out instead of opt-in

  • Fines are between $2500-$7500 per record under civil violation

  • Includes data relating to households and devices

  • Look-back rule of 12 months

What needs to be achieved by businesses to get ready?

Business needs to comply with the law once the regulator notifies them of a voilation. Ignorance to such violation is subject to fines up to $7500 per record. Following are some exemplary actions a business can implement for neglecting or respond to violation:

Create Inventory of all Consumers’ data

  • Identify all the data related to California and Households and verify the identity

  • Categorize all the data and create data flow maps for identifying the third-parties and service provider involved in business transactions

  • Document the whole process in a precise manner

Fulfill Consumer’s Rights

  • Create a process for fulfilling the consumer’s requests and rights

  • Disclose the personal information collected, sold, or disclosed for business requirement

  • Define a process to fulfill requests in 45 days period

  • Verify the identity for the request and also validate the rights of the consumer before fulfillment

Opt-out and Disclosure

  • Provide consumers the option of opting out and keep records for the consents

  • Disclosure through notices and privacy policy on websites

  • A separate link to the “Do Not Sell My Personal Information” Internet web page

Define and Monitor Process

  • Define or revise the business privacy policy for catering the requirements of CCPA

  • Identify the service providers and third-parties to whom data is being shared

  • Perform a data security assessment for identifying the data in scope and controls in place for protecting such data

  • Monitor the compliance to CCPA and other regulations

  • Implement controls where gaps are identified

Breach Response

  • Identify the cause of the breach and breached data

  • Create the incident response plan for notifying and facilitating the response

  • Develop provisions to respond to consumer’s request in a month

  • CCPA provisions the consumers to bring a civil action if their data rights get violated

Enabling our clients to remain in compliance with privacy regulations, the Security Spoc team is working round the clock in designing frameworks and strategies. To know more Contact us!

16 views0 comments


bottom of page