When Does CCPA Start?
- The California Consumer Privacy Act (CCPA) is effective January 1, 2020.
- It also includes a 12-month “look-back” period to January 1, 2019.
- It is also important to note that several amendments to the Act are still pending.
What Does CCPA Say?
While a good part of CCPA is directed at entities who collect and sell personal information for profit, there are significant sections that would be applicable to professional services firms. Specifically, the Act is intended to:
- “…grant a consumer a right to request a business to disclose the categories and specific pieces of personal information that it collects about the consumer, the categories of sources from which that information is collected, the business purposes for collecting or selling the information, and the categories of 3rd parties with which the information is shared.”
- “…require a business to make disclosures about the information and the purposes for which it is used.”
- “…grant a consumer the right to request deletion of personal information and would require the business to delete upon receipt of a verified request, as specified.”
- “…grant a consumer a right to request that a business that sells the consumer’s personal information, or discloses it for a business purpose, disclose the categories of information that it collects and categories of information and the identity of 3rd parties to which the information was sold or disclosed.”
- “…require a business to provide this information in response to a verifiable consumer request.”
Who Is Covered?
You do not need to have physical operations in California for this regulation to apply. It applies to any for-profit entity “doing business” in the state that either:
- has annual gross revenue over $25,000,000;
- buys, sells, receives or shares for commercial purposes, the personal information of 50,000 or more consumers, devices or households, on an annual basis; or
- derives 50 percent or more of their annual revenue from selling consumers’ personal information.
The CCPA allows individuals to sue businesses if their “nonencrypted or nonredacted personal information . . . is subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business’ violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information….”
In addition, businesses could be subjected to statutory fines of up to $7,500 per violation. The Act also makes reference to “any person, business, or service provider that intentionally violates this title” and reserves the higher penalties for those that willfully disregard it.
Recommended Best Practices for CCPA Compliance
Your firm’s general counsel and management must define compliance for your organization, but some best practices include:
- Do not store more information on individuals than you need
- Do not buy, sell or otherwise share contacts’ personal information
- Perform a security review of your firm as well as any relevant vendors
- Take a close look at the data in your CRM system to determine:
- How many contacts you have with a California address
- How many contacts you have with no geographical identifiers. (Just because you don’t know where they are does not mean their data is exempt.)
- The number of duplicate and potential duplicate records you have
- Any other data you may be holding on your contacts
- Define and evaluate inactive/stagnant contacts and consider deleting them on a regular basis
- Evaluate and document your “unsubscribe” process
- Evaluate and document your process for deletion of contact data upon request of a contact
Data privacy regulations are here to stay and, for the first time in the U.S., carry significant penalties. When dealing with compliance in the area of anti-spam and privacy regulations such as CCPA, GDPR and CASL, it’s important to note that the compliance landscape is constantly changing. In fact, since the passage of CCPA, many other states have followed California’s lead and introduced their own data privacy legislation – and similar proposals are also being considered at the federal level. Additionally, many of the existing regulations have not yet been thoroughly tested. As a result, some of the guidance and best practices may change as new developments occur.
While professional services firms most likely were not foremost in legislators’ minds when writing these regulations, they are indeed still subject to them when the defining criteria are met and should evaluate their data and processes accordingly.
The purpose of this article is to provide general guidance and best practices for professional services firms on the development of their compliance programs. This article is also not intended to be exhaustive since each firm will have unique existing systems and unique processes that will need to be considered.
If you need assistance with your firm’s specific circumstances, or you just don’t have enough resources to dedicate to the development or implementation of these processes, CLIENTSFirst can help.
For more than a decade, the team at CLIENTSFirst Consulting has been helping professional services firms and other organizations successfully select and implement CRM and eMarketing systems to maximize value, adoption and return on investment. If you need help achieving CRM Success, please contact us at 404-249-9914 or Info@ClientsFirstConsulting.com.