A few years ago, organizations across Europe had to adjust to a new era of privacy regulations after the European Union instituted the General Data Protection Regulation, also known as GDPR. Now, California is taking a similar step with the California Consumer Privacy Act, or CCPA.
The CCPA is a new set of guidelines that gives residents more control over how companies treat their personal data. Even businesses that aren’t physically located in California must fulfill CCPA compliance requirements when dealing with California consumers.
The act went into effect January 1, 2020, and many businesses were slow to prepare for these changes. In a survey conducted by global IT security leader ESET, almost half of the respondents hadn’t even heard of the CCPA. Fewer than 12% were certain whether the law applied to their businesses.
The misuse of personal data has been a common news headline in the past few years. The CCPA is an important step toward giving people control over their data, and California isn’t the only state headed in this direction. According to the National Conference of State Legislatures, at least 25 states and Puerto Rico have introduced similar bills or bill drafts.
Maintaining CCPA Compliance
Data transparency is a critical issue for consumers, so even businesses that aren’t affected by current regulations will likely need to follow similar rules soon.
To meet CCPA compliance requirements, your business must be willing and able to share information about how you collect personal data if someone requests it. The information you must know and share for CCPA compliance includes:
- What kind of personal information you’ve collected
- The types of sources you’ve collected personal information from
- Your reasons for collecting or selling information
- Which third parties you share this information with
- What specific information you’ve collected about the individual
How CCPA Impacts Your Business
Prepare for increased transparency with consumers
This law requires businesses to evaluate how they keep users informed about data storage and usage. It sounds like a lot of work, but it’s a good thing for any company to think through. Open, transparent communication is key to building trust. If your customers don’t trust you to take care of them and their data, they’ll leave for a competitor as soon as it’s convenient.
For example, California consumers now have the legal right to opt out of third-party sales. When collecting data, businesses must clearly communicate the type of information they intend to collect and why. If they plan to sell personal information, they have to give users the choice to opt out. Most importantly, if a consumer chooses to opt out, the business can’t discriminate against him or her in price or services.
By openly embracing and even championing these changes, you’ll show consumers that you care about their privacy and support regulations that help protect everyone’s rights.
Expect disclosure requests
Now that users have the power to ask for information disclosures, it’s only natural that people will ask for them. This means you have to know exactly what you’re doing with people’s personal information and be honest about it.
Many people are cynical because of how companies have misused data in the past, but companies that go out of their way to be transparent will rebuild trust.
Ensure you’re able to delete user data
People will also request data deletion. However, there are several exceptions to deletion requests you should know about:
- For security purposes: Businesses can still use server logs or other information to protect against deceptive or illegal activity or to prosecute people responsible for such activity.
- To identify and correct errors: Businesses can keep certain data to help debug and repair problems that impair intended software functionality.
- When it pertains to another user’s free speech: There’s sometimes a tension between protecting one user’s right to free speech and another’s right to deletion. The CCPA favors free speech.
- For legal compliance: The 2015 California Electronic Communications Privacy Act requires state law enforcement to obtain a warrant to access certain electronic information. If a business receives such a request from the government, it doesn’t have to delete the information. This same rule of thumb applies to all legal obligations, such as civil lawsuits or other regulatory investigations.
- When researching in the public’s interest: If an organization is using information a consumer previously consented to sharing in public or peer-reviewed research for public interest, they can keep that information.
- For internal uses: If data is only used internally and in alignment with consumer expectations for the business, the company may be able to keep it. Additionally, this right can extend to any information that is used internally within the context in which the person provided the information.
New regulations are always tricky. But if you embrace the inevitable changes to come, your business will fulfill CCPA compliance requirements. If you meet these requirements, users are more likely to have a positive impression of your organization.