The California Consumer Privacy Act (CCPA) was just signed into law and will take effect in less than six months. Are you ready? What can you learn from the General Data Protection Regulation (GDPR) to help you prepare now?
Last year, the General Data Protection Regulation (GDPR) came into effect, setting a monumental precedent for the way businesses are expected to approach consumer privacy in the age of the Internet. The GDPR dictates rules for data collection, storage, and usage in Europe and even effects US-based businesses with data subjects located overseas. The regulations set forth have no bearing on business location physicality in EU, it only pertains to the consumers the business serves. It has set the stage for similar regulations to follow around the world –
For California businesses, that time has come. The California Consumer Privacy Act (CCPA) has been signed into law as of June this year, and will take effect in January 2020. Have you taken the appropriate steps to hit the ground running and guarantee your compliance?
After all, with any new, wide-reaching regulations like this, it can be difficult to determine how you fit into it and what you need to do. So, what’s the best way to start?
Why not learn from our neighbors across the pond?
3 Lessons To Learn About GDPR And Be Compliant With CCPA
A benefit of the fact that CCPA is following GDPR is that you can learn directly from the experiences European and international businesses had in becoming compliant last year. Instead of having to granularly develop your compliance practices from scratch (which can be expensive, in both time and money), you can model your processes after those that have been proven to be effective.
To start, consider these 3 key lessons about the GDPR and how they can influence your future compliance with CCPA:
1. You Need To Know How CCPA Will Affect You.
This all comes down to data access and control.
Pre-GDPR (and now, pre-CCPA), there are likely a number of unexamined and unevaluated venues for data access in your operations that could put you at risk of noncompliance in January.
Once they were required to double check how their data was accessed and controlled, businesses in Europe found that there was a lack of proper control, and access to data enabled via legacy units. These are the types of gaps in your data control practices that need to be addressed before CCPA comes into effect.
By analyzing your operations top to bottom, you will likely identify ways that data can be accessed that few (or no one) was aware of because they weren’t regularly making use of them.
If you don’t already have policies for the following considerations, now it the time to start developing them:
Controls and Notifications
- Protect personal data using appropriate security.
- Notify authorities of personal data breaches.
- Obtain appropriate consents for processing data.
- Keep records detailing data processing.
- Provide clear notice of data collection.
- Outline processing purposes and use cases.
- Define data retention and deletion policies.
2. You Need To Budget For CCPA Sooner Rather Than Later.
Compliance is never free. It’s an unfortunate reality of the modern business world, that as much as the Internet and data collection (and sale) can benefit what you do, the downside is how expensive compliance can end up being.
But it’s the cost of doing business, simple as that.
As discussed in the first lesson above, you will need to devote time and resources to examine the way you control data. Once analyzed, you will need to implement changes to your operations and structure in order to be compliant with CCPA.
All of this will cost you, at the very least in terms of working hours for the staff you have assigned to these tasks. However, if your analysis determines that you’ll need to implement new controls in the form of security technologies, that will cost too.
It’s also worth noting that, as is the case with any such regulation (e.g. GDPR), new legal opinion and precedents can prompt changes to the CCPA. In other words, you can’t expect to pay to be compliant “once” and then assume the work and expenses are done. You need to have funds budgeted appropriately to adapt to future changes to CCPA as they happen.
3. You Need To Know The Consequences Of Non-Compliance Now.
It’s important to note that, although CCPA is following GDPR and much of the discussion is around how they (and practices for compliance) are similar, there is a key way in which they differ. CCPA is undoubtedly more complex.
CCPA has taken steps beyond the scope of GDPR, such as in dictating the tracking of device and household information or offering consumers the option to opt-out of the sale of their personal information.
Most importantly for you? Penalties associated with CCPA are unlimited – even up to $7,500 per customer.
Think for a minute about how many customers you deal with… budgeting for that kind of cost likely isn’t feasible. Compare it to the cost of becoming compliant, and you’ll likely see the wisdom in learning lesson #2 sooner rather than later.
All of this is to say, you need to make the effort now. Non-compliance is infinitely more troublesome and costly than taking the steps to become compliant over the next six months.
Is CCPA going to be more work for you?
Yes, undoubtedly. But it’s necessary. It’s designed to protect consumers and allow you to continue to make the most of modern business advantages in the digital age.
The good news is that you don’t have to handle this alone. By working with an IT company like Kraft Technology Group, you can make sure you have the skills and knowledge you need to become compliant by the time CCPA comes into effect. While you may have never had to worry about this type of compliance before, Kraft Technology Group has the experience needed to assist in your analysis and updates to help you get in line with CCPA.
Don’t forget – last year it was Europe, right now it’s California, but soon enough? It will be everyone. Similar regulations are in the works in a number of states from Hawaii to Mississippi and New York. This is where the world is headed, and if you don’t get on board soon, you will pay the price.
Brian Gray, MCP, is the President at Kraft Technology Group, LLC (KTG), an affiliate of KraftCPAs PLLC. Within his role, Brian is responsible for all aspects of service delivery to our clients. Brian has a decade of experience working for managed service providers. He has worked with clients in a variety of industries, including financial services, accounting, legal, healthcare, manufacturing, and retail.