Is your data policy ready for California's new consumer privacy act?

Companies must be ready for data requests from current and past customers and reviews from regulators in the Golden State.

Want to attain and retain customers? Adopt data privacy policies Customers won't buy services or products from companies if they don't trust how their data will be used, Cisco found.

If your inbox is full of privacy update emails, that's a heads up that the California Consumer Privacy Act is now in effect.

California Gov. Jerry Brown signed the bill into law on June 28, 2018 and the new compliance rules started Jan. 1. The CCPA is a comprehensive data privacy law, which is similar to the General Data Protection Regulation in the European Union and the Digital Privacy Act in Canada.

 The CCPA applies to all businesses in California that meet one or more of these criteria: 

  1. Has annual gross revenue in excess of $25 million 
  2. Buys,  sells, or  shares the personal  information of 50,000  or more consumers, households, or devices
  3. Derives 50% or more of its annual revenue from selling consumers' PI

The state's CCPA economic impact report predicts that 75% of California businesses will have to comply with the rules and that the initial investment in compliance will be about $55 billion. 

The report estimates that businesses with fewer than 20 employees will spend $50,000, companies with 100-500 employees will spend $450,000, and companies with more than 500 employees will spend $2 million.

SEE: What businesses need to know about the CCPA (TechRepublic Premium)

Companies got started with compliance efforts last year, but it is still slow going.

PwC recommends developing an enterprise approach for complying with CCPA:

  1. Test the readiness of the high-risk areas of the business to provide regulators with evidence of operational privacy controls.
  2. In high-risk areas showing weak controls, identify current technical capabilities and develop the business requirements to extend them and strengthen those controls.  
  3. Pilot new privacy technologies within high-risk and high-impact areas first.
  4. Use the results of the pilots to define your organization's future-state privacy technology ecosystem.
  5. Develop a cross-functional task force including technology, data governance, data ethics, security, risk, compliance, legal and privacy experts to support evolving changes to the privacy technology baseline.

Security firm Data443 suggests taking these steps to comply with the CCPA:

  • Offer a 'Do Not Sell My Information' option to all customers.
  • Make it easy for customers to opt out. 
  • Create a process for current and past customers to submit a Subject Access Request
  • Consider employees, pensioners and other categories of information holders when developing policies and procedures.
  • Update privacy and compliance policies with updated disclosures and collection policies.  
  • Create handling, processing and collection processes for data from children and minors. 
  • Monitor changes at the state level and adjust policies as needed.

Jason Remillard, founder and CEO of Data443, believes that a federal law standardizing customer data collection is coming. 

"Microsoft has already announced a national-level compliance program for CCPA-level services, in 2020. I expect others to follow suit in the absence of a national legislation," Remillard said.

Maine and Nevada have already passed data privacy laws and 11 other state legislatures considered similar bills in 2018. Five states have created task forces to study the issue. California's law started as a citizen-led ballot initiative.

Also see