Jumping in line with other global data privacy regulations, such as the European Union’s GDPR, California has their own privacy regulation. The California Consumer Privacy Act (CCPA), in effect as of January 2020, is the most comprehensive US based privacy law to date. Whether you are a bricks-and-mortar store or a global software company, any business that collects personal information could fall under CCPA. It is important to not only understand the regulation, but also to ensure compliance by putting in place the processes and tools you’ll need to service California consumers and users.
The Basics of CCPA
CCPA applies to any non-temporary resident of California, regardless of where the company is located. It is intended to protect consumers against misuse of their personal data. It allows more visibility into how personal data is being used, the ability for individuals to access their data from a company, and an option to opt out of the reselling of their personal information.
A business is subject to CCPA if it meets any of the following: has gross annual revenue exceeding $25M USD, sells data from more than 50,000 devices, users or homes, or derives at least 50% of their revenue from the reselling of consumer data.
The Risks of Non-Compliance
Non-compliance can result in hefty fines. Unlike most regulations, which require a complaint via a data protection authority, CCPA allows consumers to file suit directly against the company. Meeting regulation is the law. Publicity around non-compliance will also result in loss of customer trust and loyalty.
If your company is not already compliant with another regulation, you will need to begin by identifying all of the Personal Information that you collect, process, and store. This can include a variety of data from names and birthdates, to usage data, location data, and device serial numbers. Essentially any data that either identifies an individual or discloses personal information about them.
To meet regulation standards, a company must do the following:
- Clearly identify to users what data is being collected, how it is being used, and what third party companies may be processing or storing it
- On request, have the ability to collect 12 months of a user’s data and transfer it to them
- On request, have the ability to delete all of a user’s data from the system
- Add a consent box allowing users to opt out of personal information sharing
- Restrict usage to consumers over the age of 16, or between 13 and 16 with a parent’s consent
Making it Easier
The biggest steps to getting compliant are categorizing personal data and finding ways to handle data access requests from users.
Start by mapping out all of the data you collect and process. Eliminate any data that is not required for use of your service/product (examples: gender or address). The less data you have, the simpler your handling processes become.
Next look for automation tools for handling user requests and consent. Getting one request is simple but your company could be inundated with multiple requests at the same time. Enzuzo integrates seamlessly into your existing systems allowing you to manage your user’s data. When a user requests access to their information, Enzuzo will discover, collect, and package it for transfer in a way that does not impact your time and resources. Enzuzo can also help you to identify and delete a user’s data from the system.
Get started for free and immediately start managing and organizing data privacy requests.