California is home to many of the biggest names in technology. And it recently passed a new law called the California Consumer Privacy Act of 2018 (CCPA). While the law doesn’t go into effect until the 1st of January 2020, it is expected to affect businesses throughout the world, not just in the United States.
The Act will impact how companies handle customer data, utilize it and secure it. It has been called by many lawmakers as the strictest data protection law in the history of the United States. It has also been seen as the equivalent of the General Data Protection Regulation (GDPR) passed in the EU this year.
As a business operating today, handling user data is no longer an option, it is a requisite. However, the constant misuse and theft of user data by companies such as Cambridge Analytica, Facebook, Yahoo, Apple and Google has brought on this regulation. And companies should abide by laws that hold them accountable to their users and to the government.
In this paradigm shift, it’s probably a good idea to get a professional law firm to review your company’s laws and regulations right down to the employee handbook to make sure that you’re abiding by the CCPA. It will help you avoid potential lawsuits in the future and a slew of fines and fees that may be slapped on your business if it simply tried to transition into the post CCPA era without making any changes to its laws at all.
Here are a few fundamental changes that will need to be made.
Physical Presence Doesn’t Matter
_092.jpg)
The Internet has made the world a global village. This line is a cliché, but that doesn’t make it any less true. Ones physical presence doesn’t matter as long as services and products are concerned. You could be operating in the biggest cities in the US and be sending out products to the remotest villages in India.
And if that’s true, why should laws take in to account your physical presence?
The CCPA applies to any and all businesses that carry out transactions with customers who are residents of California and fulfill one of three requirements. The business should have annual gross revenues of over $25 million, it should derive 50% or more of its annual revenues from selling consumer’s personal information, or it should buy, sell, receive, and share for business commercial purposes, the personal information of 50,000 or more consumers, devices or households each year.
Your business could fall into either or all three of these categories and you may not even know it. It’s the responsible thing to do to get a law firm to look over your transactions and customer relationships so that you can be sure whether you fall into the CCPA’s jurisdiction or not.
Informing Customers how their Information will be used
This is a no brainer. Almost every tech company that you are a customer of sent over renewed privacy policies around the time the GDPR came into effect. It related to all the companies complying with the regulation. The ones that didn’t simply didn’t have the resources or the foresight to start early enough so that they could revisit their privacy policies entirely.
To avoid an incident like this, it’s imperative that you start now. You may have a privacy policy that may need rewording or some practices that may need reforming, and you also may have to rework your entire company handbook. So take a leaf from recent history and start early. Get a law firm to give you a good deal on scanning your policies and reworking them to fit the CCPA.
Handling Access Requests
This is the most important and revolutionary part of the CCPA. It follows the GDPR in kind. The law allows consumers to request a full record of their personal information that is collected by a business. Under the CCPA, businesses are required to disclose the type of personal information collected where the information is collected, for business or commercial purposes, for collecting or selling information and the type of third parties with whom the information will be shared.
This means that you will have to create a protocol that will allow customers to get their data within the shortest amount of time of submitting their request. It’s imperative that you create such a protocol, because without it, handling these data requests will be a colossal waste of time and money.
Integrating data from several sources within your system may take too much time and the customer in question may launch a complaint if that happens.
Lawyers will tell you the technicalities of handling that data request and the timeframe that you will need to abide by.
Processing Children’s Data
Companies must also have a separate set of rules for minors. Parents are required to give consent regarding the sale of data for children younger than 13 and businesses must track this consent. Children over 13 and up to 16 years of age can opt in themselves.
Hence, if your services target children, even if you think they don’t, you should revamp your policies specifically for them. Children are often huge demographics that make up your customer bases. Even if your product is targeted towards adults or the youth, you may find that children are more often than not, interested.
Law relating to children and consent can be very tricky, and violating it has a particularly nasty backlash from society. You definitely want that on your record. Hence, it’s imperative that you get a law firm to look at your company’s policies to make sure they are kid friendly.
The CCPA is a huge change to business all over the world, and rather than falling asleep at the wheel, companies should change with the times and adopt policies that will protect consumers and their own interests alike.