What is the California Consumer Privacy Act?



Many California businesses will need to address new compliance and privacy requirements this year due to the California Consumer Privacy Act (CCPA), which went into effect on January 1st, 2020. CCPA established new data privacy rights relating to how businesses handle consumers’ data. Companies that fall under CCPA have a six-month grace period before enforcement actions from the California attorney general begin in July.

Once enforcement begins, penalties being out of compliance are up to $7,500 per intentional violation and up to $2,500 per unintentional violation. Consumers also have the right to pursue individual actions against companies that mishandle their data.

Does CCPA apply to you?

CCPA regulates any company that does business in California (or has customers who live in California) and falls into at least one of the following categories:

  • Earns annual gross revenues over $25 million
  • Receives, buys, sells or shares the personal information of at least 50,000 California consumers
  • Derives at least half of annual revenue from selling the information of California residents

For more details on the CCPA standards, see Microsoft’s FAQ.

How to Prepare for CCPA Enforcement

If CCPA applies to you and your business, you’ll want to start taking steps to ensure you’re compliant now. Here are a few things to keep in mind:

1. Understand the scope of your obligations

First you need to understand what kind of consumer data you are collecting and storing. CCPA defines “personal information” as anything that “identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” This includes things like:

  • Personal identifiers (names, addresses, emails, social security numbers, driver’s license numbers, etc.)
  • Geolocation
  • Biometric information
  • Employment information
  • Educational information
  • Internet or network activity

If you don’t already have a good understanding of what data you’re collecting and how you’re storing it, you’ll want to get a compliance assessment. If you have a Microsoft 365 subscription, you already have access to the Microsoft 365 Compliance Center and the new Compliance Score. These tools will help you assess your current compliance posture and point out areas that require improvement.

2. Develop processes for responding to Data Subject Requests (DSRs)

CCPA gives consumers the right to control how companies use their information, including the right to access, delete, or transfer data. Consumers exercise these rights by submitting Data Subject Requests (DSRs) to companies, and businesses subject to CCPA will be obligated to review and respond to each DSR in a timely manner. The Microsoft 365 Compliance Center can help you streamline the DSR response process and is another reason why we recommend Microsoft.

3. Find and secure sensitive data

Most businesses are not taking steps to secure corporate data, and data breaches are becoming more common every day. Because CCPA imposes penalties for data breaches of consumer information, it’s important to have the right systems in place for securing sensitive data. Tools like Message Encryption, which enables users to encrypt messages going in and out of your organization, and Microsoft Information Protection, which blocks sensitive data from leaving the organization, are a critical part of your compliance stack.

4. Train your employees

CCPA requires all employees who are responsible for the company’s compliance or might find themselves handling requests related to data privacy (opting out, deleting or accessing information, etc) to undergo specific training about how CCPA works and what it requires. This training requirement most likely covers all customer service representatives along with the company’s legal/compliance team. You will want to make sure all employees who are required to undergo CCPA training complete it before enforcement actions begin later this year.

TechMD Can Help

If you have any questions about how CCPA might affect your business, please feel free to reach out to us!