If your organization handles consumer data, it's time to start working on compliance with the California Consumer Privacy Act (CCPA). This sweeping new privacy law went into effect on January 1 for mid- to large-sized businesses. The California Attorney General’s Office will start enforcing the CCPA on July 1 or six months after they publish the final regulations -- whichever date is earlier.
In a nutshell, CCPA allows California residents to see what data a company collects on them. Then, they may request that they delete the information, and opt out of the sale of their data.
Which Organizations Will This Impact?
The law could apply to your business even if you're not physically located in California, but you conduct business in the state. CCPA may apply if you:
- Generate more than $25 million in annual revenue
- Handle personal information of more than 50,000 people or devices
- And/Or earn more than half your revenue from selling personal information
Beware of taking a “wait and see” approach until California issues its final guidelines. Doing so could put your organization at risk, as the law is already in effect. Therefore, not being able to fully comply once the rules have been clarified could increase any liability. Equifax encourages you to work with your legal counsel to determine best steps for your company in preparation for CCPA.
Where Do You Begin?
A key element of the law is that it requires you to be aware of what data you have on your customers. Additionally, you must know how and where you keep it. A good starting point is to create a high-level overview of where you stand on four key areas:
- Compliance Status: Is your organization already in compliance with other privacy standards (e.g., GDPR)? Are there any overlaps with what CCPA requires?
- Data Security: What mechanisms do you have in place to verify the identity of the consumer making the request? And what protocols need to be added or changed to deal with any notifications required in case of a data breach?
- Customer Control: Under CCPA, consumers control their data, and you generally have 45 days in which to respond to any requests. Have you evaluated your processes to ensure you will be in compliance?
Key Items Need Clarification
As with any new legislation, putting it into practice requires a number of clarifications. For example, work is underway to clarify how “personal information” is defined. It’s likely to include information that can be matched directly to a consumer or household.
California also needs to clarify how consumers should contact businesses to request their data, as well as opt out and/or ask that it be deleted. While companies who conduct business exclusively online are working under the interpretation that they are only required to accept online/email requests, businesses with a mix of online communications, brick-and-mortar locations and/or toll-free numbers are waiting to see if they must offer all such options for CCPA compliance.
Finally, California will have to clarify when organizations are permitted to retain, use or disclose personal information. From legal record-keeping requirements to authentic business-process issues, your organization needs to know when you are not required to comply with a consumer request.
Resources to Help Ease the Transition
Learn more about data privacy compliance on our website where you'll find a number of resources, including both customer verification and data compliance products.