A New California Privacy Law Could Affect Every U.S. Business—Will You Be Ready?

In our data-fueled world, we’re seeing a record-breaking number of breaches. Take, for example, Facebook’s 2018 breach of 50 million accounts. In 2019, the social media company made the news again, when 540 million user records were exposed on Amazon cloud servers.

Unfortunately, data exploitation is not isolated to specific industries. For example, hackers gained access to sensitive information of 106 million Capital One customers across the United States and Canada. And Equifax encountered a breach, where the personal information of 147 million Americans was compromised. The effect these breaches have on consumers is mounting. In fact, a recent Pew Research Center study found that nearly half (49%) of Americans believe that their personal information is less secure than it was a mere five years ago.

With consumers becoming increasingly disillusioned that companies are taking adequate measures, many states are looking at their privacy laws. Considered to be the most comprehensive in the country, the California Consumer Privacy Act (CCPA) is set to take effect January 1, 2020, with enforcement beginning July 1, 2020. This expansive act is designed to give consumers more control over their personal information and will reach beyond California’s borders.

Law affects non-California businesses, too

Even if your for-profit SMB isn’t located in the Golden State, you may still be on the hook to comply. Do you do business or have customers (or potential customers) in California? If you answered yes to this question, and you meet one of the following criteria, your company must conform to CCPA regulations:

  • Your annual gross revenue is more than $25 million.
  • Your organization receives, shares, or sells personal information of more than 50,000 individuals.
  • Your company earns 50% or more of its annual revenue from selling personal information of consumers.

Don’t meet the criteria? Many states are using the CCPA as a template to draw up their own acts. It’s just a matter of time before privacy regulations affect your business.

Giving consumers power over their data

The CCPA will enable individuals to take a more active role in monitoring and protecting their personal information. Although the regulation consists of complex data safeguards, consumer rights can be grouped into five high-level categories:

  • Businesses must inform consumers of their intent to collect personal information.
  • Consumers have the right to know what personal information a company has collected, where the data came from, how it will be used, and with whom it’s shared.
  • Consumers have the right to prevent businesses from selling their personal information to third parties.
  • Consumers can request businesses to remove the personal information that the business has on them.
  • Businesses are prohibited from charging consumers different prices or refusing service, even if the consumer exercised their privacy rights.

With its comprehensive information privacy requirements and extensive reach, businesses need to take a hard look at their personal data-governance capabilities and processes. And for many, CCPA compliance will require them to make sweeping changes.

Don’t wait—prepare now

According to a 2018 PwC survey, 64% of businesses had not yet started to prepare for CCPA regulations. Have you put off starting your compliance journey? Have you begun the process, but find yourself challenged by the fast-approaching deadline? The following can help ease the burden and make the changes you need to implement less overwhelming:

  • Evaluate your current capabilities by identifying and classifying personal data.
  • Take a look at your data-governance capabilities.
  • Create a strategy to monetize data in a way that meets CCPA privacy regulations.
  • Take stock of your privacy controls, keeping an eye out for gaps in meeting CCPA requirements. Then prioritize the processes and technologies that need to be updated.
  • Be proactive and set up a CCPA program management office to handle regulations accountability, remediation, and implementation.
  • Implement regulation monitoring procedures to ensure your business continues to be in compliance over the long run.

Businesses will benefit too

Consumers want to do business with companies that protect their data privacy. As a compliant organization, you’ll be able to market your adherence, which in turn can help boost sales and customer loyalty.

Not to be discounted is the personal information you collect. You’ll know exactly where the information came from and have better control of its accuracy, enabling you to really know your customers and improve your marketing strategies.