California Consumer Privacy Act (CCPA) coming in enforcement from 1 July 2020 which gives rights to California Consumers to know about and control the personal information that businesses collect about them. Moreover' it provides consumers the ability to bring a civil suit if their personal information is subject to the data breach.
It is important to understand the CCPA’s 12 months “Look Back” requirement where businesses may need to reveal how they have practiced the due diligence in maintaining the Privacy throughout last year.
CCPA is applicable to the businesses having one of the following characteristics:
Has annual revenue of more than $25 Million
Achieve 50% of their annual revenues from selling consumer’s personal information
Operates in California
In combination or alone, buys sell or share the personal information of 50,000 or more consumers, households or devices for business’s commercial purpose
How it’s different from GDPR?
Grants consumer the right to opt-out instead of opt-in
Fines are between $2500-$7500 per record under civil violation
Includes data relating to households and devices
Look-back rule of 12 months
What needs to be achieved by businesses to get ready?
Business needs to comply with the law once the regulator notifies them of a voilation. Ignorance to such violation is subject to fines up to $7500 per record. Following are some exemplary actions a business can implement for neglecting or respond to violation:
Create Inventory of all Consumers’ data
Identify all the data related to California and Households and verify the identity
Categorize all the data and create data flow maps for identifying the third-parties and service provider involved in business transactions
Document the whole process in a precise manner
Fulfill Consumer’s Rights
Create a process for fulfilling the consumer’s requests and rights
Disclose the personal information collected, sold, or disclosed for business requirement
Define a process to fulfill requests in 45 days period
Verify the identity for the request and also validate the rights of the consumer before fulfillment
Opt-out and Disclosure
Provide consumers the option of opting out and keep records for the consents
Disclosure through notices and privacy policy on websites
A separate link to the “Do Not Sell My Personal Information” Internet web page
Define and Monitor Process
Define or revise the business privacy policy for catering the requirements of CCPA
Identify the service providers and third-parties to whom data is being shared
Perform a data security assessment for identifying the data in scope and controls in place for protecting such data
Monitor the compliance to CCPA and other regulations
Implement controls where gaps are identified
Breach Response
Identify the cause of the breach and breached data
Create the incident response plan for notifying and facilitating the response
Develop provisions to respond to consumer’s request in a month
CCPA provisions the consumers to bring a civil action if their data rights get violated
Enabling our clients to remain in compliance with privacy regulations, the Security Spoc team is working round the clock in designing frameworks and strategies. To know more Contact us!