By Shane Nolan, IDA Ireland

Protecting consumer privacy has now become a mandate and not an option for California companies or those holding data on any of its 40 million residents as a result of the new California Consumer Privacy Act (CCPA.)   It became law on January 1 this year and while it won't be enforced until July 1, according to various surveys, between 56% and 88% of companies aren't yet ready for this groundbreaking new regulation.

Denial is understandable given how profitable technology-driven online marketing has been for firms worldwide since high-tech tools facilitating the slicing and dicing of consumer data came to the fore. However, some company abuses and the understandable fears of consumers regarding bad actors accessing and using their personal data have helped usher in a brave new world of regulation that will only increase in scope and geographic coverage.

The European Union's General Data Protection Regulation (GDPR), a similar act, which went into effect on May 2, 2018, led the charge toward protecting personal information but the CCPA in some ways goes even further. Therefore, it's incumbent on companies to fully understand the CCPA and take the right steps forward without delay.  Here are three critical tips to assist in that task.

Don't wait until enforcement begins on July 1, 2020, to take action.

It's true that the potentially significant fines involved -- $2,500 for each record of unintentional violation and $7,500 for each record of intentional violation -- won't be assessed until mid-summer begins. However, delaying until then wastes the time needed to put systems in place and test them. The smart move is to build compliance into a company's software development cycle immediately. Also, it's imperative to appoint someone in-house right away to manage CCPA compliance.  A suitable motivator is that these fines apply to each violation and a company could have hundreds, thousands or even millions of data records.

Don't assume CCPA doesn't apply to your company.

The essence of the CCPA is that California consumers will now have the power to see personal data gathered about them, know all third parties who've been given this data and have the right to be removed from databases, whether online or offline. Being located outside California doesn't protect you from the CCPA because it covers any company anywhere that holds data on California residents and this massive state is America's largest, population wise.  The CCPA applies to companies that have annual gross revenues of $25 million or more, buy or sell more than 50,000 individuals' data and making more than half of annual revenues from selling customer data. This covers many, many companies.

Being GDPR compliant doesn't mean you're also covered for CCPA.

Many U.S. companies doing business in the EU have had to make themselves GDPR compliant but that doesn't automatically mean they're ready for the CCPA -- although the experience of putting privacy-protecting processes in place is a positive for any regulations imposed. GDPR is fully focused on the holders of personal data on EU citizens while the CCPA has become a watchdog over for-profit direct-marketing and digital advertising companies holding data on California residents. CCPA goes further than GDPR in its concern with information going through a household's or person's digital devices rather than just stored records on individuals. Good news for companies using cloud services [1] from some giants like Google, Amazon, SAP, Microsoft and others is that these firms have had to make themselves CCPA compliant and they help their partners do so as well, which lowers the implementation burden on small and medium businesses.

The wisest approach is to assume that protecting consumer privacy and personal data should be baked into any business process going forward. Having the people, processes and expertise in place is becoming a fundamental part of doing business online and firms that ignore that fact do so at their peril.

##

About the Author

Shane Nolan is senior vice president of consumer and business services for IDA Ireland, the country's agency working with foreign companies locating there.  To contact Shane email: [email protected]

[1] sources:

https://threatpost.com/microsoft-to-apply-californias-privacy-law-to-all-u-s-users/150101/