What is the CCPA and How Will it Affect Records Management?

Image courtesy of Lightspeed.

Enactment of GDPR last year has required organizations  to protect European data subjects' rights and clarified what companies that process personal data must do to safeguard these rights.

A year later, CCPA has been designed to give Californians more control over their personal data and will be the most comprehensive privacy law in the US to date. Let's talk about what this privacy law entails and how it will affect your organization and managing your information.

What is it?

The  California Consumer Protection Act (CCPA) will become operative on January  1, 2020. The objective of this act is to regulate the personal information  of Californian consumers, as it will increase their privacy rights with the following five guarantees:

• 1. To know what personal information is collected about them
  2. To know whether their personal information is sold/disclosed, and to whom
  3. To access their personal information that has been collected
  4. To have a business delete their personal information, if requested
  5. Not to be discriminated against for exercising their rights under the Act

Who is impacted?

The CCPA will impact organizations that sell or collect personal information from or about Californian consumers. This applies to for-profit businesses operating in California that collect personal information of California Consumers and fall under one or more of the three points below:

• 1. Have annual gross revenue over $25M (USD)
  2. Annually buy, receive, sell, or share personal information of over 50,000  Californian consumers, households, or devices
  3. Derive at least 50% of their annual revenue from selling Californian consumers' personal information

Companies that both intentionally or unintentionally violate these guidelines will be subject to fines.

According to iapp, the Californian attorney general may bring action against any company or individual person violating the CCPA for up to $2,500: meaning  an organization that has (unintentionally) sold information of 100 profiles   of individuals who have opted-out would be penalized $25,000.  If a violation is found to be intentional, the cap would go up to $7,500 per individual. 

What does this Act  mean for organizations' business obligations?

As with ensuring compliance for GDPR, organizations will be required to put a lot of planning and efforts into meeting CCPA criteria. This will  impose new business obligations, such as :

• needing to provide notice to consumer prior to collection of their data;
• creating procedures to effectively respond when consumers opt-out;
• responding to requests from consumers who  inquire about what  information is stored and/or make requests to delete of opt-out;
• verifying the identity of inquiring consumers, whether or not the consumer holds a password-protected account with the business;
• if unable to verify a request, complying to the greatest extent   they can (more details at oag.ca.gov);
• and disclosing financial incentives offered for exchange of consumers' personal information, along with the ability to clearly show the value of this information (must include how this incentive is permitted under CCPA).

With this upcoming criteria, organizations will not only have to impose new email and ad marketing strategies and update their consumer-facing business processes, but  changes will also be required with how they manage their consumer-related data and information.

How will this impact organizations'  records management?

With enactment of this Act and those that will follow, it is critical for organizations to keep data relevant, accurate, and maintain adequate information security. The CCPA will require companies to ensure they have proper support, tracking, and reporting platforms around data protection and management. Retention schedules may be shortened in the case that consumers reach out and ask for their personal information to be deleted.

So in terms of records management, the following should be considered moving forward:

• Organizations should understand what Personal Data they hold, and how it is classified. See our Compliance Checklist for an overview of necessary steps to  achieve compliance.
• In addition, current retention policies and schedules should be reviewed to ensure compliance with CCPA. This would include the ability to easily adjust and customize lifecycle workflows as necessary.
• Both electronic and physical records should be managed in a way where eDiscovery is optimized. When a consumer requests personal information, organization member should be able to easily search and access said data.
• Organizations should have the procedures and tools necessary to opt-out and dispose of personal information, in case this is requested by a Californian consumer.
• Ensuring that this Personal Data is protected and data breach procedures. An option is using a ransomware-proof, WORM-compliant solution to fully secure consumers' information.

Both GDPR and CCPA signify a growing movement that will give consumers more rights over their personal information. As these Acts evolve, and as more get implemented, organizations should take the measures to not only focus on checking off the marketing and  business strategies basics, but adjust their records  management practices and data privacy measures in accordance.  

Want help getting started? We've got a team of information governance experts at the ready to  lend a hand with your organization's strategic support and project planning guidance. In addition, we offer solutions such as Collabware CLM and Collabspace   help ensure compliance and boost productivity around managing your records. Download the free, full compliance checklist below, or contact us with your questions.