The average business utilizes the services of over 200 other companies in its daily operations. One Bomgar survey found that, on average, 181 vendors were granted access to the company network per week. Similarly, consider your customers and how you interface with them. Both vendor and customer interactions are often intertwined with compliance burdens.
We have seen it all before, with the HIPAA business associate designation, the deluge of new provisions that have made their way into the average contract, or the third-party assessments that measure a company’s ability to meet compliance requirements. Those under the CCPA know they cannot fulfill their obligations unless they ensure those they do business with also adhere to some or all of the requirements. Each of these companies, in turn, must do the same.
You may not have felt the effects of the CCPA yet, but you likely will soon, and some of the CCPA provisions that trickle down to you may result in changes to core business processes. Let’s consider some of these provisions.
The Right to Know
California consumers have the right to request what information is collected, used, shared, or sold for business purposes. This request can include not only what data a business has in its possession, but also how it was collected, why it was collected, and which third-parties, if any, have access. If you are processing, hosting, using, or selling information as part of the services you offer another company, you might need to track this information and be able to provide it to the company that interfaces with the Californian customer.
The Right to Access
Not only do California consumers have a right to know what data is collected, but businesses must notify the consumer when the information is gathered initially. The consumer then may reach out under the right to know provision to request what data was collected and why. Your company may need to be able to supply reports of exactly what data was obtained for specific customers, retain these records, and be able to produce them upon request.
The Right to Delete
Once the consumer knows that their personal information was collected, they have the right to request that data be deleted. This request must be fulfilled by the business, as well as any third-party providers that access or maintain that information within a specified time frame. Failure to confirm or comply with the Act’s time limit may result in fines or other actions. This deletion requirement necessitates much more granular storage and backup mechanisms so that data on specific customers can be identified and removed.
The Right to Opt-Out
Another right California consumers will have under the CCPA is the right to opt-out of the sale of their data. For example, if the information is gathered on a company website, businesses will be required to provide a “Do Not Sell My Personal Information” link whereby consumers can opt-out at the time of collection. Existing data monetization scenarios will need to be reevaluated in light of CCPA.
CCPA Compliance: Governance
Expectations are that businesses will implement policies and procedures for handling incoming requests as a part of the CCPA compliance requirements. These procedures must address the time frame for which a business must confirm and comply with incoming requests, as well as the duration for which the claim will be maintained to prove compliance.
Fines and Penalties
Although the Act is in effect as of January 1, 2020, enforcement of the CCPA will not begin until July 1, 2020. Businesses that do not meet compliance requirements after July 1, may face penalties of up to $2,500 per incident or $7,500 for each intentional violation. Those who may not be directly affected by the CCPA, but provide services to those that do, may find non-compliance more costly.
Under the “six degrees of separation” theory, a person is connected to any other person in the world by six or fewer connections. How many connections away from CCPA compliance, are you?
The information provided in this blog post does not, and is not intended to, constitute legal or other professional advice. It is solely meant for informational purposes. If you require legal and/or privacy advice, please contact your law firm.