On October 10, 2019, the Office of California Attorney General Xavier Becerra announced public regulations of the California Consumer Privacy Act (CCPA). The bill, signed on June 28, 2018, provides consumers with new rights with regards to how companies handle their personal information. The law stated that the California Office of the Attorney General needs to begin implementing the new regulations on or before July 1, 2020. The state is currently in the midst of a public comment period on CCPA.
For businesses, that means it’s tantamount to understand what the law regulates, how they’ll need to comply, and who is affected. Because of the nature of the law, it is highly likely than any company with any type of customer database or records will need to comply.
Let’s take a closer look at CCPA, as well as how you can review the new regulations and make your voice heard. The sections in this post will include:
- What is CCPA?
- What are the compliance requirements of CCPA?
- Who does the CCPA affect?
- What CCPA means for companies
- How can you make your voice heard regarding CCPA?
To start, let’s define CCPA itself.
What Is CCPA?
The state of California released a fact sheet on CCPA that stated, “The California Consumer Privacy Act (CCPA), enacted in 2018, creates new consumer rights relating to the access to, deletion of, and sharing of personal information that is collected by businesses.”
In a press release, Attorney General Becerra had this to say about CCPA:
“Knowledge is power, and in the internet age knowledge is derived from data. Our personal data is what powers today’s data-driven economy and the wealth it generates. It’s time we had control over the use of our personal data. That includes keeping it private…We take a historic step forward today to protect Californians’ inalienable right to privacy. Once again, California leads the way putting people first in the Age of the Internet.”
The Attorney General’s Office drafted CCPA in the wake of Europe’s General Data Protection Regulation (GDPR).
There are two major ramifications for CCPA: one is that it puts power back into the hands of consumers by giving them more rights over their data. It also puts pressure on companies to ensure all their IT systems are up to date so that they comply with all regulations included within. In fact, it’s urgent for companies to maintain compliance. But what exactly are the requirements?
What Are the Compliance Requirements of CCPA?
The law creates a new dynamic for the consumer-company relationship. The document is 24 pages long, broken up into seven articles: Article I (general scope and definitions), Article II (details on the data collection notice consumers must receive from companies), Article III (handling consumer data requests), Article IV (verification), Article V (rules regarding minors), Article 6 (non-discrimination) and Article VII (a severability statement). Also, it bestows consumers with four primary rights:
- Know what information companies collect about them and what they do with that information.
- Delete any information companies (or, by extension, those companies’ providers) may have on the consumer.
- Opt-out of the company selling the consumer’s personal information.
- Not receive discrimination when the consumer uses one of their privacy rights as laid out by CCPA.
Let’s take a closer look at each of these four major requirements companies will need to abide by to ensure compliance with CCPA:
- Specific consumer requests. If a consumer asks for information regarding how their data is being collected or handled, CCPA requires that companies provide them with that information. Also, they must alert the consumer as to which third parties may also have access to their information and the methods in which that information was collected.
- Compliance with deletion requests. If a consumer requests the company to remove them and their personal information, the company must comply.
- Equality. Companies must provide users who have exercised any rights under CCPA the same level of service they would any other consumer.
Who Does the CCPA Affect?
The short answer? CCPA impacts everyone doing business in (or with) California or companies within it.
That means it doesn’t just affect California companies. Other companies, vendors, and providers creating transactions with those California companies are also expected to comply. To provide some context on just how many people that represents, it’s about one in eight in the United States.
The reason this number is so high is that many tech companies (such as Apple, Microsoft, Facebook, and Google) are based in California. Any company that has maintains U.S. customer data as a part of its operations will likely fall under CCPA – provided you have customers in California. You’ll be required to keep up with CCPA standards in any sector.
What CCPA Means for Your Company
The most pressing need in light of CCPA is that you’ll need to ensure all your IT systems are up to date. If your company uses a platform such as Office 365, there are a whole host of considerations and processes you can to implement to guarantee compliance.
This should play a role in the various types of IT systems you use for your company’s operations. Indeed, you’ll want to be sure they have the right infrastructure and licensing components in place to allow you to maintain CCPA compliance. For example, if you use Microsoft Teams for your team’s collaboration and communication, you may be aware that the platform has capabilities such as data loss protection, archiving, compliance content search, retention, and audit logs. Further, in a hypothetical scenario where a customer requests their data, features like this are invaluable in giving you the ability to get that data quickly.
CCPA also increases the need to use a program such as Microsoft Compliance Manager to assess non-compliance risks you may be in danger of violating.
As for why you want to maintain compliance: it’s all about prevention. There are no consequences for taking the necessary compliance steps. Compliance with CCPA will ensure your company avoids hefty fines. Indeed, CCPA fines are projected to be heavier than GDPR fines. Take, for example, Cambridge Analytica. Facebook’s fines under GDPR would cost $1.6 billion. For CCPA, the same lack of compliance would cost close to $50 billion.
How Can You Make Your Voice Heard Regarding CCPA?
If you have any issues or concerns about the law, you still have an opportunity to communicate them directly with the state of California. While the rulemaking process is underway, the California Office of the Attorney General is allowing the public to provide your insight on the legislation during a public comment period. You can make your voice heard in one of two ways:
- Submit written comments online by either email or mail. You can email the comments to PrivacyRegulations@doj.ca.gov or mail them to:
- Privacy Regulations Coordinator, California Office of the Attorney General, 300 South Spring Street, First Floor, Los Angeles, CA 90013
- Submit your comments in person at one of four public hearings held throughout the state. More information on those are available below:
- Sacramento: December 2, 2019. CalEPA Building, Coastal Room – 2nd Floor, 1001 I Street, Sacramento, CA 95814
- Los Angeles: December 3, 2019. Ronald Reagan Building – Auditorium, 1st Floor, 300 S. Spring Street, Los Angeles, CA, 90013
- San Francisco: December 4, 2019. Milton Marks Conference Center – Lower Level, 455 Golden Gate Ave., San Francisco, CA, 94102
- Fresno: December 5, 2019. Fresno Hugh Burns Building – Assembly Room #1036, 2550 Mariposa Mall, Fresno, CA, 93721
All hearings will be held at 10:00 am Pacific time.
The deadline for all feedback in the public comment period is 5:00 pm Pacific time on December 6, 2019. The Attorney General won’t accept any comments submitted following that time frame. Thus, if you have a burning issue to address, make sure to submit well before that date.
All comments are posted on the Attorney General’s website. They will also be subject to disclosure by the Public Records Act. Thus, if you have any questions about the rulemaking or feedback submission processes, please refer to the California Office of the Attorney General’s website at www.oag.ca.gov/ccpa.
If you’re located in California or hold information about anyone located in California, CCPA will impact you. It’s critical that you perform a company-wide assessment of your ability to comply with the law as soon as possible. Failure to do so could result in fines that could cripple your bottom line. It will also help you keep up with your consumer’s needs in a timely manner. You decrease non-compliance by understanding what will be expected of your company’s IT systems.
To find out how you can meet CCPA requirements using Office 365, request a quote today.