California Consumer Privacy Act (CCPA)
Does the California Consumer Privacy Act Apply to Your Business?
- Does your business have more than $25 million in revenue?
- Do you buy or sell the personal information of 50,000 or more consumers?
- Do you derive 50% or more of your annual revenue from selling consumers’ personal information?
If you answered yes to any of these questions and you do business in the State of California, the California Consumer Privacy Act (CCPA) applies to you. This Act approved by the California State Governor on June 28, 2018, and goes into effect on January 1, 2020. It requires businesses that collect the personal information of consumers to rework privacy and data security policies and procedures across business lines and throughout the data life cycle.
California Consumer Privacy Act of 2018
In June 2018, the California State Legislature passed the California Consumer Privacy Act of 2018 (CCPA), a comprehensive consumer privacy law that marks a monumental shift in U.S. data privacy regulation. With the effective deadline just months away on January 1, 2020, businesses are scrambling to understand and meet the law’s extensive requirements. The CCPA, which ranks as the strictest privacy law in the nation, applies to most companies, even those outside of California, that do business in California and possess data on California residents. With many other states following California’s lead and introducing similar privacy bills, now is the time to prepare your business for the CCPA.
Is Your Data Regulated by the CCPA?
A major change that the new law brings to the U.S. privacy regime is its expansive definition of “Personal Information.” This new definition includes information that was never before considered to be “personal” under any U.S. law. Under the CCPA, any information that is capable of being associated with, or could be reasonably linked to, a person or household is considered Personal Information regulated by the law. This means that, for example, an IP address of a California resident qualifies as Personal Information under the CCPA. Businesses must re-evaluate the data they collect and receive that could possibly include information relating to California residents, from email lists to website server logs.
High Impact Regulatory Compliance Assessment
Impact Group has developed a phased methodology to assess your current compliance with the current law, conduct a gap analysis versus the Law’s requirements, and develop a prioritized plan that will document the steps you must take to become compliant with the Law. And, because we are a full-service IT consulting firm, we can assist in addressing the deficiencies in your current systems. We can also assess compliance with other privacy laws, such as the California Shine the Light Law or the EU’s GDPR.
Impact Group works in cooperation with Nadeem Schwen, a data privacy & cybersecurity attorney, and a partner at Winthrop & Weinstine with a technical background in computer engineering. Nadeem also serves as co-chair of the Minneapolis/St. Paul chapter of the International Association of Privacy Professionals, and is a regular speaker and author on data privacy and security topics.
CLICK HERE for more information about the CCPA’s applicability, its key provisions, and the risk of fines and lawsuits.
Proven High Impact Regulatory Compliance Methodology
For businesses that need to be compliant with the upcoming CCPA regulation, we offer the following approach, which includes a gap assessment of the current data, systems, processes, and policies relative to the CCPA requirements and the development of a prioritized plan to remediate those gaps. This project includes the assessment of all client operations and websites.
Impact Group utilizes a proven, fact-based regulatory compliance methodology that is tailored to the unique needs of each client and the scope of the regulation. Below is a summary description of our proposed four-phased approach:
Preparation — Work with the Project Sponsor and key stakeholders to confirm the project objectives, scope and project team roles/responsibilities
Compliance Gap Assessment — Assess the current state of technology, information security, and governance relative to the scope of the CCPA
Prioritized Compliance Plan — Develop a prioritized implementation plan to close compliance gaps and control weaknesses
Implement Gap Remediation — Develop processes, policies, procedures and other artifacts necessary to demonstrate compliance
Concerned About Compliance?
With the compliance deadline approaching quickly, now is the time to determine your plan of action. Although there is still some uncertainty and pending amendments to the law, there are concrete steps that businesses can take today to drastically reduce the risk of fines, costly litigation, and other financial & PR nightmares. If you have any questions about the CCPA or its applicability to your business, contact us at using the form below.