This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.
The Time is Now to Enforce CCPA: Are You Ready?
As of 2006, California maintains an estimated population of 12%. Your consumer database is also likely to include information about the California citizens/consumers. If that's the case, you have to protect the details about that person.
The California Consumer Privacy Act (CCPA) applies to any for-profit organization doing business in California that collects, shares, or sells California consumers' data. The entity is covered if it has annual gross revenues above $25 mil or possesses the personal information of 50,000 or more individuals, households, or devices as well as if it earns more than half of its annual revenue from selling consumers' personal information.
To learn more about CCPA compliance issues, I contacted from Samir Patel, director of universal collaboration and communications at Netrix.
Here an edited version of our discussion.
G: Is CCPA focused on the contact center, or are there other enterprise systems affected?
S: Yes, unified communications and collaboration (UCC) and other technologies that collect citizen data. In becoming compliant with regulations like General Data Protection Regulation (GDPR) and California Consumer Privacy Act (CCPA), companies can go public with a proactive message that security and compliance are important to them. So is earning their customers’ trust as a result. CCPA covers both enterprise-based and cloud-based operations.
G: How will CCPA be enforced?
S: CCPA has already taken effect on Jan 1, 2020, with a six-month enforcement delay, which may extend to Jan 2021. Much has been written about the CCPA’s set of rights regarding consumer personal information and steps businesses must take to respond to consumer requests. Less attention has been paid to another portion of the bill which allows consumers to sue businesses directly for mishandling their personal information.
G: Companies that don't comply with CCPA can now expect stiff penalties from the government. What are some best practices companies should follow when attempting to mitigate risks?
S: Between GDPR, CCPA, and the other data privacy laws going into effect, there are a few data privacy best practices that organizations can follow. When it comes to preparing for CCPA, the following are recommended considerations.
- Create an internal privacy framework
- Do more with less data
- Automate compliance efforts
- Create policy and enforce for internal and external privacy posture
G: Businesses that continue to invest in UCC tools risk potential privacy pitfalls that can be detrimental to both operations and customer loyalty if mismanaged. Why must companies be mindful of how their vendors and partners use customer data?
S: Unified communications comprises various solutions to provide a single interface for end users to interact with internal teams and their customers. UCC and contact centers have recording requirements for calls, audio and video conferencing. Within the CCPA - at the point of collecting personal data - there is an obligation to inform consumers of the types of information that must be collected, and the use purposes. Additionally, consumers must be informed about the right to deletion and the right to opt-out of the sale of their personal information. As a customer is interacting with UCaaS vendor, all should expect compliance from any third-party vendors who are part of solutions to adhere to the same standards to ensure that they are earning the customer’s trust.
G: How can companies ensure their third-party vendors are CCPA compliant?
S: When requested from a consumer, the following information categories must be provided:
- Specific pieces of personal information the business has collected about the consumer
- Personal information the company sold about the consumer
- Third parties to whom the consumer’s personal information was sold (identified by category of personal data for each third party)
- Personal information that the business disclosed about the consumer for a business purpose
Entities have to enforce the same from third parties to ensure that all data can be provided and managed as per request.
G: What steps should organizations follow to create clear, thorough, compliant privacy policies?
- Determine what your company does with consumer/personal data
- Ensure your company’s treatment of personal data is legally compliant
- Test and revise the full compliance policy per CCPA or any other privacy law
G: Are there any cost estimates and staff requirements for CCPA compliance?
S: The California attorney general recently published a report assessing CCPA compliance costs. Based on experiences with similar obligations and those associated with GDPR, the report predicts that small firms will face disproportionately higher CCPA compliance costs relative to larger enterprises. It also posits that holistic data regulation laws may provide a competitive advantage to large businesses, which can invest significant in-house compliance resources to adjust quickly, while small competitors struggle to adapt.
The report estimates compliance costs based on the size of the company:
- Small firm (<20 employees): $50,000.
- Medium-sized companies (20-100 employees): $100,000
- Medium/large-sized companies (101-500 employees): $450,000
- Large companies (>500 employees): $2,000,000
For the future, budget now or pay the penalties. It’s critical to start your compliance projects immediately. If you haven’t yet started compliance efforts and implementation, you are behind your competitors: Most large companies have already started compliance efforts (84%) and implementation (56%).