Companies must be ready for data requests from current and former customers and assessments from regulators in the Golden State.
Do you want to reach and retain customers? Adopting a privacy policy
Customers don’t buy services or products from companies if they don’t trust how their data will be used, Cisco found.
If your inbox is full of privacy update emails, it’s a warning that the California Consumer Privacy Act is now in force.
California Gov. Jerry Brown signed the bill on June 28, 2018 and the new compliance rules started on January 1. The CCPA is a comprehensive law on data privacy, comparable to the General Data Protection Regulation in the European Union and the Digital Privacy Act in Canada.
The CCPA applies to all California companies that meet one or more of these criteria:
- Has annual gross sales of more than $ 25 million
- Buys, sells or shares the personal information of 50,000 or more consumers, households or devices
- Gets 50% or more of its annual income from the sale of consumer PI
The state’s economic impact report predicts that 75% of California companies will have to comply with the rules and that the initial compliance investment will be around $ 55 billion.
The report estimates that companies with fewer than 20 employees will spend $ 50,000, companies with 100-500 employees will spend $ 450,000, and companies with more than 500 employees will spend $ 2 million.
SEE: What companies need to know about the CCPA
Companies started compliance efforts last year, but it is still slow.
PwC recommends developing an enterprise approach to comply with CCPA:
- Test the readiness of the company’s high-risk areas to provide supervisors with proof of operational privacy controls.
- In high-risk areas that exhibit weak controls, you need to identify current technical capabilities and develop business requirements to expand and strengthen those controls.
- First test new privacy technologies in risky and impactful areas.
- Use the results of the pilots to define the ecosystem of the future privacy technology of your organization.
- Develop a cross-functional task force, including technology, data governance, data ethics, security, risk, compliance, legal and privacy experts to support evolving changes in the baseline of privacy technology.
Security company Data443 proposes to take these steps to comply with the CCPA:
- Offer a ‘Don’t sell my data’ option to all customers.
- Make it easy for customers to sign out.
- Create a process for current and former customers to submit a subject access request.
- Consider employees, retirees, and other categories of information holders when developing policies and procedures.
- Update privacy and compliance policy with updated disclosures and collection policy.
- Create processing, processing and collection processes for data from children and minors.
- Follow changes at the state level and adjust the policy if necessary.
Jason Remillard, founder and CEO of Data443, believes that there will be a federal law that standardizes the collection of customer data.
“Microsoft has already announced a compliance program at national level for CCPA-level services in 2020. I expect others to follow this example if there is no national legislation,” Remillard said.
Maine and Nevada have already passed data privacy laws and 11 other state legislators considered similar legislative proposals in 2018. Five states have established task forces to study the issue. The California law started as a citizens’ initiative.
Best of the week newsletter
Our editors emphasize the TechRepublic articles, galleries and videos that you absolutely should not miss to stay up to date with the latest IT news, innovations and tips.
Fridays
Register today
