The California Consumer Privacy Act (CCPA), enters the enforcement phase this week, which means that the California’s Attorney General can now take direct action against any businesses that violate the law’s privacy protection requirements. With COVID-19 meaning more and more businesses relying on online data – from restaurants relying on online orders to higher education moving their curriculum online —the legislation is more relevant than ever before. With that in mind, here are three things all businesses should keep in mind to comply with CCPA.
CCPA Isn’t Limited to Businesses in California
While CCPA provides privacy and data access rights to California residents, its implications span way beyond the Sunshine State. Any business with a revenue of over $25 million and that processes personal information – including things like IP address – of over 50,000 California residents or derives more than 50% of its income from selling personal information must comply, regardless of whether or not they’re actually based in California. If you’re based in New Jersey but have clients in California, you still have to comply. Soon, the kind of regulations that CCPA establishes could become national. The legislation is likely to set a precedent nationally- more than ten other states are introducing data protection laws – and it could set the framework for federal law, too.
Businesses That Have Taken Reasonable Security Measures Won’t Be Fined for Breaches
Under CCPA, consumers can claim up to $750 for violation of their personal information following a data breach unless companies can demonstrate that they took reasonable security measures. That means encrypting sensitive data and providing employees with security training to protect that data. It also applies to the vendors companies choose to use – it’s your responsibility to make sure any third-party vendors that process your customer data are privacy compliant. Even with the best security, sometimes breaches still happen and the legislation recognizes that. However, those breaches shouldn’t be because of company negligence – and businesses should be able to demonstrate that.
You Don’t Have to Protect the Data You Don’t Keep
This may seem obvious, but it’s something businesses should keep in mind. The more data you collect, the more you have to protect for compliance purposes. Being smart about which data you collect can mean avoiding a security and privacy headache. Maybe your business doesn’t need to store credit card numbers or people’s phone numbers. Think carefully about what data should be collected – and the steps you’ll need to take to protect it – and let go of any personal data that you don’t need.
With CCPA, businesses can embrace data privacy and prepare themselves to be compliant for any future data privacy legislation. Vaporstream helps businesses stay compliant by only storing any data from communications in an archive they own – allowing businesses to automatically protect their information without having to worry about it being vulnerable. Learn what makes us so secure here.