The July 1, 2020 enforcement date for the California Consumer Privacy Act (CCPA) is fast approaching. The original adoption of the regulations, on Jan. 1 of this year, contained a six-month enforcement delay. Although some organizations requested an additional six-month extension on fully adopting the regulations due to COVID-19, California Attorney General, Xavier Becerra, assured the public that data privacy and security should remain top of mind during this time and that the enforcement date will remain unchanged.
Unless an exception is available, the CCPA applies to a variety of for-profit businesses that do business in California, collect and control California residents’ personal information, and meet any of the following conditions:
- Have more than $25 million in annual gross revenues;
- Buy, sell, or receive information of more than 50,000 consumers or households; or
- Make more than 50% of annual revenue from selling consumer information.
The parameters easily include large tech organizations, but also may affect smaller businesses relying on consumer data to perform business functions like conducting surveys, purchasing sales databases, or maintaining online user accounts.
California consumers will gain protections from the CCPA like:
- The right to opt-out of the sale of personal information;
- The right to delete personal information kept by a business; and
- The right to know which information is collected or maintained by a business.
Businesses subject to the CCPA should act now to address the following six items before the enforcement date on July 1.
OBLIGATIONS FOR BUSINESSES SUBJECT TO THE CCPA
- Consumers must be provided notice before or at the time of data collection.
- Procedures for information collection opt-out requests must be adopted and implemented; this includes providing a “do not sell my info” link on website and apps, for businesses selling information.
- Certain timeframes must be adhered to when responding to consumer requests to know, opt-out, and delete their information.
- When a consumer wishes to know and delete their information, businesses must first verify the consumer’s identity.
- In the event there is financial incentive for collecting a consumer’s information, businesses must disclose the incentive, how the value of the personal information is calculated, and how the incentive is permitted under the CCPA.
- To demonstrate compliance with the CCPA, businesses must maintain records of requests and how they responded for 24 months.
WHAT DOES THIS MEAN FOR ME?
If your business collects and maintains California consumer data, it may be subject the CCPA. The California Attorney General can enforce the Act beginning on July 1, 2020. Even if your business is not subject to the CCPA, protecting consumer data is increasing in focus among regulatory bodies such as the SEC.
If your business needs assistance with protecting consumer data or complying with the CCPA, Fairview Cyber can help. We offer comprehensive cyber and data security solutions to businesses focused on protecting client data, including personally identifiable information and other sensitive data. Contact us today for more information about our service offerings and how we can help your business.