Since October you’ve been hearing about them—the proposed CCPA regulations coming out of California. You’ve read some articles and want to have your company set up and ready for success this year (the law became effective January 1). But some of the legal jargon is hard to wade through. And, not to mention, what actually applies to your IT job?
We’re here to help. The burning question is: Do you know what data you are collecting and retaining? As an IT professional, this is key for you and your company since the CCPA regulations are all about the privacy of data. It is designed so that people (in California):
- understand what personal information is being collected about them.
- know whether their personal information is sold or disclosed and to whom.
- can say no to the sale of personal information.
- are able to access their personal information.
- have equal service and price, even if they exercise their privacy rights.
The regulations are designed to help companies with implementation and cover six main areas:
- Handling Consumer Requests: Unless your business is strictly an online entity, you must provide two options for consumers to submit a request. You have to have a toll-free number set up for handling requests and then you can choose email, regular mail, or a web form for the additional option. Only companies who have a direct relationship with consumers can forego having a toll-free number. As the IT team, have these solutions been set up? And has the team been trained on the timeline for responding to requests?
- Information Sharing/Verification Requirements: Basically, this stipulates that your business cannot at any time release the following information: an individual’s Social Security number, driver’s license number, any government-issued ID, financial account number, any health insurance or medical identification information, account passwords, or security questions. Furthermore, you must verify that the person requesting the information you are allowed to release is the person they say they are. You can set up password-protected accounts that require re-authentication for data requests or use security credentials if they exist. As an IT professional, you should lead the charge on this effort. Be sure to consider which system will keep the data most secure.
- Handling the Personal Information of Minors: The CCPA outlines specific methods for verifying that an opt-in for the sale of personal information of a child greater than 13 years is their actual parent or guardian and additional security measures should be in place regarding data of children under the age of 16. If your company deals with this sort of data, read up on the specifics for this regulation and add any necessary components to your technology packages.
- Offering Financial Incentives: If your business provides a loyalty program or has a subscription service and a free service, it’s important for your business to understand these new (complicated) rules regarding financial incentives. While calculating the value of this customer data likely does not fall to you as the IT professional, ensuring that the systems in place can accurately track this information does.
Now that you know the basics, let’s go even deeper. Five amendments were passed in October 2019 to further clarify the CCPA. These may answer some lingering questions you have regarding customer notices, privacy policies, verification requirements, and more. Here’s how they break down:
1. Employee data is excluded from a consumer’s right to access, delete, and opt out. Employers are still required to comply with the disclosure requirements and are subject to data security with employee data.
What does that mean for you? You must keep all HR files and information secure, but they do not need access to it in order to opt out of company communications and the like. If you do not already have a secure storage plan for digital data on your employees, you should find a solution soon.
2. Information that is “publicly available” and “deidentified or aggregate” is not considered “personal information.”
What does that mean for you? If the data you collect does not identify a particular person or can be found easily elsewhere, you do not need to make adjustments to your technology or systems for that particular information. It just reinforces that you need to know what sort of data your company is collecting and keeping so that you can be sure the proper systems are in place.
3. B2B exemption for one year (until January 1, 2021)
This refers to B2B communications or transactions where “personal information reflecting a written or verbal communication or a transaction between the business and the consumer, where the consumer is a natural person who is acting as an employee, owner, director, officer, or contractor of a company, partnership, sole proprietorship, nonprofit, or government agency and whose communications or transaction with the business occur solely within the context of the business conducting due diligence regarding, or providing or receiving a product or service to or from such company, partnership, sole proprietorship, nonprofit or government agency.”
What does this mean for you?
Not all B2B communications are excluded. Much of the marketing data can still be in scope and the right to opt out of sale still applies, though the opt out of sale requirements would not apply. It’s critical to know your data and what can and can’t be exempt, plus it’s important to consider any customer contract requirements.
If some data is CCPA exempt and other information is not, you need to know what data goes where and who can access what. You also need to know what relationships your company has with other businesses so you can better understand if any shared employee data is CCPA exempt or not.
Additionally, any data that fits into the Fair Credit Reporting Act is exempt from the CCPA.
4. People cannot opt out of communications regarding vehicle repair relating to warranty or recall.
What does this mean for you? If you do not work in the automobile industry, this is not relevant to your job. However, if you do, it means you need to ensure the data regarding vehicle ownership is stored in a database that does not allow for opt-outs.
5. If your company does business exclusively online and has a direct relationship with the customer, having only an email address for consumer requests is acceptable.
What does this mean for you? If your company qualifies as an online-only business with a direct relationship with the customer, you do not need to set up a phone number for consumer requests. As described previously, you do need to be sure an email address or web form is available and that everyone on the team knows where these emails go and there is a system in place for prompt replies.
CCPA requires you to control access to personal data, follow the right to deletion, maintain reasonable security practices, and more. Click here to learn more about how BetterCloud can help with these areas, or request a demo right here.