98% of Businesses Still not CCPA Compliant - Are You One of Them?
The California Consumer Privacy Act took effect on January 1, 2020. Despite the impending deadline, as of July 2019, 98% of companies did not consider themselves fully compliant - an overwhelming majority who can get into legal trouble.
Although CCPA was signed into law over 18 months ago, businesses are still slow to act and implement required changes. Some companies feel overwhelmed, some don’t believe they will be fined, and most do not feel compelled to endure a laborious project. However, those that understand the law realize noncompliance and data breaches have far more negative ramifications.
The Direct Financial Burden Associated with Noncompliance
- Civil Penalties - The main liability segment of CCPA is found in Section 1798.155(b). A civil action will be brought in the name of the people of the State of California by the Attorney General for a company that fails to cure any alleged violation within 30 days of being notified of such noncompliance. A violation of CCPA will result in a fine of up to $2,500 per violation and up to $7,500 per intentional violation.
- Private Right of Action - CCPA’s Section 1798.150 gives California residents the right of action if their personal information has been exposed due to lack of appropriate security measures. An affected consumer can recover damages ranging from $100 to $750 per incident, or actual damages, whichever is higher. Consumers do not have to show proof of damages to file a lawsuit.
Here are some of the things your company should do, as well as systems you need to have in place to ensure your organization is compliant with CCPA regulations.
- Review what data your company is collecting, where it is stored, and what your organization is doing with it. CCPA is all about data privacy, so this step should be your primary focus.
- Go over any third-party suppliers’ service level agreements and check which providers need to be compliant with CCPA. This should be part of your business-wide policy review and include any previous agreements about selling your customers’ personal information.
- Include CCPA-compliant language in your data privacy policies and add provisions about consumer rights covered by the law. For instance, this includes the right to data deletion and the right to opt-out of the sale of their data.
- Create a data request form for your customers. Once that is in effect, you should have identity authentication solutions in place to guarantee that the person who is making the request is who they claim to be.
- According to the 2019 Verizon Data Breach Investigations Report, over 80% of data breaches involve a compromised password. Adopting Secure 2FA, MFA, or biometrics to substitute passwords is highly advised.
- Train employees about CCPA compliance and how to avoid violations.
Data privacy is the next big focus for many companies. Even if your organization currently does not have to be CCPA compliant, this may change in the future. For instance, you could have a marketing campaign go viral resulting in tens of thousands of new leads - some of whom are governed by the law.
For more information on CCPA compliance, download our CCPA quick checklist.
Don’t Wait Until It’s Too Late
The digital operations of most businesses are slowly blurring the boundaries of global operations. Even if you are not physically in California, there are many ways CCPA can affect you, similarly to the impact that GDPR has. GDPR has already handed out multiple fines; however, due to the stronger culture of litigation present in the United States, even more lawsuits are expected to come up from CCPA noncompliance. Knowing what data you are collecting, training your employees, and using biometric technology will help you avoid hefty fines.