Start preparing for the California Consumer Privacy Act.

Why firms should start preparing for the California Consumer Privacy Act.

The Golden State is taking consumer privacy to the next level. In June 2018, Governor Jerry Brown signed the California Consumer Privacy Act (CCPA) into law. Similar to the GDPR, the CCPA is designed to protect client data by enforcing tighter restrictions on how companies collect, share, and sell personal information.

The goal of the act is to show consumers exactly how their data is being used. The CCPA specifically forces companies to reveal what data they’re collecting on California clients and whether they’re selling said data, and to give consumers a clear opt-out to prevent the sale of their information (or even erase their information from a company’s database). 


Who does the CCPA apply to?

The act affects any for-profit businesses, firms, and organizations collecting personal data on California residents. Any captured data including personal info, behavioral data, online activity, and buyer history requires transparency under the privacy act. Even organizations with just one California client are legally obligated to comply. With hefty financial penalties associated with non-compliance, the clock is ticking for businesses to get on board. 


According to the CCPA, “business” means:

(A) Has annual gross revenues in excess of twenty-five million dollars ($25,000,000), as adjusted pursuant to paragraph (5) of subdivision (a) of Section 1798.185.

(B) Alone or in combination, annually buys, receives for the business’ commercial purposes, sells, or shares for commercial purposes, alone or in combination, the personal information of 50,000 or more consumers, households, or devices.


Why it pays to play it safe. 

According to the CCPA, if a business “has failed to implement and maintain reasonable security procedures and practices,” it can be held accountable. In other words, the CCPA can hold companies financially liable for not playing by the rules. The cost of not following reasonable security procedures and practices can reach up to $7,000 in fines per incident. If you have a thousand clients in your database, you could potentially rack up fines totaling $7,000,000. At that point, you’re not worried about your bottom line, because you’re probably out of business. 


What happens in the event of a security breach?

Under the CCPA, any data breach can trigger an even closer investigation into a company’s privacy practices. Even if an employee uses a weak password (like “password”) and a hacker (unsurprisingly) gains entry, the company can be held responsible under the CCPA. So, how can firms prevent this scenario? By investing in secure tools and committing to educating staff on best practices. 

In a time when data breaches are imminent and inevitable, businesses need to take proactive steps to provide the safest environment for their clients. While firms can’t control when they’re hit with a cyberattack, they can prioritize secure software and best practices that guarantee strong safety measures. Tools that enforce multi-factor authentication, present an alternative to email communication, and offer secure file sharing provide some of the best defenses.


What does this mean for firms?

If your firm has already dealt with GDPR, you aren’t fully covered for CCPA — but you’re close. There are additional requirements you’ll need to meet, including categorizing the personal information you’re collecting as well as ensuring reasonable security practices are in place. With the privacy act going into effect as early as January 2020, firms have a short window to understand the law and put a plan in motion. 

Given the stakes, professional services firms and their software providers need to clearly outline what the state refers to as “reasonable” security practices. Guidance published by agencies including the IRS and NIST will likely carry significant weight in terms of whether or not reasonable security procedures are being used. Likewise, software providers will need to evolve to ensure that strong passwords and best practices are baked into their products and processes. Bottom line: everyone needs to work together to prepare for the CCPA. 


The future of data protection. 

In terms of state-enforced data privacy, California is just the beginning. As data protection gains traction, we’re likely to see other states follow suit in favor of protecting resident information. Now more than ever, businesses need to prioritize security-focused tools and stay diligent on best practices to protect client data and their bottom line.