February 14, 2019
Since California Governor Jerry Brown signed the California Consumer Privacy Act (CCPA) into state law in June of 2018, it has forced many companies from across the country to consider how the law could impact them. If you are a business owner or decision maker at your company, you should be going through that process of determining whether the CCPA applies to you — after all, the CCPA has a much wider range of impact than just local California businesses.
In fact, the CCPA affects any entity that does business with, and handles the personal information of, California consumers (and which also meets the other criteria). As a result, if you believe CCPA might apply to you, it is worth doing some research and taking action to make sure that you do not fall victim to any CCPA penalties.
The CCPA is a privacy law akin to the GDPR (General Data Protection Regulation) in Europe; like the GDPR, it allows consumers the right to view their personal data, opt out of the collection or sale of that data, and request the deletion of some or all of that data. And as with the GDPR, there are CCPA fines attached when it comes to violations of the law. So how do you avoid incurring heavy CCPA penalties? Here are some of the things you need to do.
Know the CCPA Penalties
Obviously, in order to avoid getting penalized and paying fines, you first have to understand what activities the fines attach to CCPA penalties allow for up to a $2,500 fine for each violation, and up to $7,500 for an “intentional violation” of the CCPA. The law also allows consumers the right to take private legal action against offending companies for data breaches, recovering anything between $100 and $750 per consumer per incident, or actual damages (whichever is greater). If it is determined that a company did not provide reasonable data security measures to protect its consumers’ personal information, these “unintentional” violations can also result in fines.
While these may not seem like a large fee to companies that make more than $25 million in revenue per year, when you consider how many consumers these companies regularly reach — and whose data they handle — this could add up to a potentially massive amount of money. Additionally, it is possible that the Attorney General will treat each separate piece of personal information that is exposed as a separate violation, meaning that exposure of 5,000 consumers’ information may actually count as 30,000 violations if the company held six pieces of exposed personal information about each consumer.
Perform an Assessment
The next important step in compliance will be creating a data map that covers all of the data/personal information you organization has collected and shares. Your data map will be key to your compliance in helping you see what personal information you may want to delete if you realize it is not needed for a business purpose. The data map will also help you identify third parties and/or service providers with whom you share consumer information. You contracts and agreements with those organizations will need to be renegotiated to comply with the CCPA.
Your CCPA assessment may be something that you look into yourself internally, but it can also be quick and effective to get an outside expert or service to take a look, showing you things you could potentially have otherwise missed and helping you to come up with — and execute — a plan of action moving forward. One of the value propositions of an outside service provider is that they can offer multiple solutions–creating the data map, managing a portal for customer requests, as well as creating the necessary documents and offering the CCPA-required training for your employees.
Make a Plan
When it comes to creating and executing a plan of action, what do you need to include in order to avoid those CCPA penalties? Again, this is where you may need to seek help from an expert in privacy law or compliance, but here are a few of the most notable things you will need to start planning for in order to avoid CCPA fines:
A big part of the CCPA is providing consumers with pertinent information about the collection and use of their data, as well as explaining to them their rights and options regarding that data. Drawing up a new privacy notice will thus be a priority as the CCPA deadline approaches. This will include new CCPA compliant terms and conditions that every site user will see and agree to prior to using your site.
Draw up new contracts where necessary
As mentioned, third-party contracts will also be affected by the CCPA, so now is a good time to start the process of creating new contracts and renegotiating where necessary.
Since consumers now have the option to request access to view their data, or have it deleted from your system, you will now need a system to manage those requests. Failing to do so will likely result in fines. It is also worth noting that organizations are given 45 days to respond to such requests, so efficiency will be key when developing your system.
There may be any number of other aspects to your plan of action, but using a service such as SixFifty Privacy can help you to draw up a comprehensive plan, as well as providing aid when the time comes to execute that plan.
Implement New Training and Policies
Since the CCPA has such potentially far-reaching consequences, it is important that awareness of it stretches to every part of the company. This is especially important for those who will be actively involved in implementing your new privacy policies. When it comes to CCPA penalties, there is always a chance your company may be investigated. And just as you have policies in place and keep track of everything in case of auditing during tax season, you should have similar procedures in place to show that you are working to be compliant with the CCPA.
Furthermore, your company’s training should be altered where needed to make all employees aware of your new policy and procedures. Current employees should all be expected to undergo that training in order to get up to speed. The CCPA then requires that their training be updated on a yearly basis, and any new employees who handle the consumer requests (likely HR, customer service, and IT) will also need to be given CCPA onboarding training.
Keep on Schedule
Finally, in order to make sure that you do not incur any CCPA fines, you will have to be acutely aware of the timeline and relevant deadlines for CCPA compliance. While the law is technically already in effect, the deadline that you need to remember is the “operative date,” which is when businesses are expected to be compliant by, and after which penalties and fines can be assessed. That date is January 1st, 2020. The only surefire way to avoid fines is to aim to be fully CCPA compliant before that date. That also means that you have less than a year to get ready and should start the process sooner rather than later so as not to risk missing the deadline.
You might view the CCPA as anything from a mild inconvenience to a huge pain — or anything in between — but if you take the time and effort to make sure everything is in order as soon as possible, it doesn’t have to be something you lose any sleep over. To make it even easier, SixFifty Privacy can help you out with compliance, providing an assessment, a timeline, and aid in executing your plan for compliance. Take the assessment, and we will be in contact to help you out in no time.
Written by Marie Kulbeth
Marie Kulbeth is a Co-Founder and General Counsel of SixFifty, and the co-director of BYU LawX, a legal design lab dedicated to solving access to justice problems. She works to make the law straightforward for everyone, regardless of education level or income. Marie keeps her passion for equitable, accessible legal services at the forefront of her career. Her role as...
Full Bio and other articles by Marie Kulbeth