California’s Consumer Privacy Act (CCPA) came into effect on the first of January 2020, and while we haven’t seen any CCPA penalties handed out yet, I’m betting one is coming any day now. Given provocative comments from California’s Attorney General, companies recognize they must get compliant in a hurry. Those who don’t are looking at a $2,500 fine for unintentional violations, and $7,500 for intentional ones. And that’s per violation—how many individuals’ data does your company handle?
Of course, I covered the eligibility requirements, and definitions of relevant terms (like “household identifiable information”) back when CCPA milestone dates were announced. As a refresher, if your company captures data on Californians you need to comply with CCPA if you meet any one of these eligibility requirements:
- Has annual gross revenues in excess of twenty-five million dollars
- Alone or in combination, annually buys, receives for the business’ commercial purposes, sells, or shares for commercial purposes, alone or in combination, the personal information of 50,000 or more consumers, households, or devices
- Derives 50 percent or more of its annual revenues from selling consumers’ personal information
FUD notwithstanding, I’m choosing to focus on demonstrating your progress toward achieving compliance in case you hear from California’s Attorney General. So, what are the quickest, easiest steps to implement changes that will not only demonstrate your effort to comply but also improve your data security?
1. Audit Your Information
The risk of fines exists despite specific stipulations within CCPA still being a ‘moving target’ – as California is still collecting feedback from companies and residents until July.
One step you need to take now—since you’ll need to know it down the road anyway—is understanding what sensitive information you collect and store. Not knowing the answer to this question when asked by the AG’s office is a sure-fire way to show you aren’t compliant very early in the process, so be sure to document the results of your audit.
2. Update Your Privacy Policy
The consultation period extending into July might lead some of you to believe that you have time to get your house in order. Wrong! You need to rethink your compliance strategy and specific actions fast, as the law is being enforced now. California’s attorney general said that showing efforts towards compliance have been made would lead to leniency for companies (especially smaller ones). In contrast, those who have done nothing will have the Office of the Attorney General “descend on them and make an example of them.”
A quick step is to update your privacy policy so it specifically outlines what personal, household identifiable, or otherwise sensitive data you’re collecting. A privacy policy is the most visible way in which you can signal to the AG that you are taking steps toward compliance. Your privacy policy is public and should be easily accessible on your website so that everyone knows where you stand regarding the CCPA requirements.
3. Test the Subject Access Request Process
Just like you would practice dealing with a breach, you should also practice dealing with a SAR. For Californians wishing to understand the data your company has collected or stored about them, a SAR is the primary means they have to access these records. So run some dummy requests to understand the process and what will be required on your end to comply with them. The challenges you face during this process are also likely to dictate downstream action to improve compliance issues, as there are specific timelines set out in the legislation for your organization to meet these requests.
Completing these three steps should put you in a defensible position to demonstrate initial efforts to comply – and hopefully experience the AG’s lenience should they come a-knockin’.
Reduce Your Risk with a Virtual CISO
ActZero can help you meet the requirements of CCPA. Our Virtual CISOs can help guide you, create policies, provide documentation, and help you understand which of your data is sensitive/private under the CCPA, and which steps constitute “reasonable security procedures and practices.”
Our Managed Detection and Response service helps to mitigate the risk of your data being subject to unauthorized access, theft, or disclosure, by actively detecting indicators of compromise before they become breaches and responding to minimize the amount and sensitivity of data exposed/accessed/exfiltrated, etc. We also provide you with a monthly report detailing your security hygiene, enabling you to harden your systems further to improve your prevention posture.
Remember, CCPA is in effect right now, and if you aren’t compliant already, you have to demonstrate the steps you are taking to comply sooner than later. If your organization has limited privacy, data, or compliance expertise, you can engage ActZero Networks for help with California’s Consumer Privacy Act. Be proactive, prepared, and improve your data security at the same time - reach out to us today, and protect your business.
