Six months after the California Consumer Privacy Act became law, today marks the beginning of the CCPA enforcement phase.
Ignoring demands from some groups to delay entering this phase, the State’s Attorney General can now take action against businesses that violate the Act’s privacy protection requirements. Until now, enforcement has been limited to civil actions brought by aggrieved consumers.
According to Bob Kobek, CEO of CustomerCount®, in the world of customer feedback measurement and management, both the CCPA and GDPR are counter-intuitive. “At CustomerCount we have been very focused on collecting and reporting data. Whatever instrument you use, you must be certain they have satisfied and follow the well-defined requirements below. I required a lot of programming to change our system enough to satisfy these and keep ourselves and our clients in safe harbor”.
In an article in Forbes about CCPA enforcement, Ameesh Divatia, co-founder and CEO of Baffle, Inc. concurs: “We’re hearing that many agencies are hiring enforcers”. And it’s not surprising. The AG’s office is reported to be “finalizing how to assess penalties, define a breach and justify the size of penalties for violating the CCPA”.
The CCPA vs GDPR
While many businesses are aware of Europe’s General Data Protection Regulation (GDPR) and have implemented privacy protection policies, the CCPA has some critical differences.
“GDPR is more focused on customer rights. CCPA has this, but it is focused on identifying a business that is violating them. It’s not as focused on individual rights.”
However, the methods for protecting consumer data apply to the CCPA as to the GDPR. And, while GDPR is more broadly based because it applies to more than just consumer data, if you’re GDPR compliant, you are close to being CCPA compliant as well.
With the GDPR, US-businesses are required to observe the rules if they collect data on European subjects. The same is true for CCPA. You need to comply if you have data on California consumers – even if your business is NOT based in the State.
It remains to be seen how the AG’s office plans to manage CCPA enforcement for non-resident companies So, it’s probably better to be compliant and not find out when a fine arrives.
CCPA Enforcement: What you need to do NOW
There is plenty of documentation available for businesses wishing to be CCPA compliant. However, this checklist from Forbes is an excellent start with actions you can take immediately.
- Make sure your website contains the required information on your protection practices. This includes the kind of data you collect and retain, contact information for inquiries, a statement about any sales of consumer information, and a means to opt-out of such transactions.
- Confirm the type and quantity of consumer information you keep. Consider how long you hold it, why you store it, and that it’s adequately protected. The introduction of enforcement might be a good time to evaluate the data you keep. You can then remove it safely if you don’t need it.
- Evaluate your data protection. Does your data encryption meet modern standards? Is consumer data protected while it’s stored as well as while it’s being processed? You need to prove that you’ve used reasonable security protection. However, that alone doesn’t protect you unless any data that’s stolen is encrypted well enough that hackers can’t retrieve it.
- See if you can think of ways not to keep consumer data at all. There are payment processing services that will handle transaction data for you, for example. Depending on your business, you may not need to retain credit card data or other personal information. What you don’t have, you don’t have to protect.
- Rather drastic but consider not doing business in California until you’re confident that you’re ready. This plan worked for some companies worried about the GDPR. But, you need to understand the requirements as quickly as possible.
Look at the positive
Of course, from compliance comes opportunity. If you treat the CCPA as a way of operating under best practice, your clients will recognize that you respect their privacy. And reward you with increased loyalty. Being careful and treating your customers and their data with respect protects you as much as it protects them. It can also set you apart from your competitors.
But, as Wayne Rash in the article reminds us: In case you don’t care about that, well, the AG is there to find new ways to remind you.