The European Union kicked off a broader conversation about how companies protect the privacy of their customers when it rolled out the General Data Protection Regulation (GDPR) effective in May 2018. Some companies may have let the GDPR conversation pass them by – it affected American-based companies that store and/or process personal information for individuals who reside in the EU or the greater European Economic Area (EEA). But the idea of privacy protections may not be so foreign going forward. On January 1, California enacted the California Consumer Privacy Act (CCPA), one of the most comprehensive data privacy laws in the United States to date.

Finance departments may not be fully involved in the administration of their company’s CCPA requirements, but they may need to be prepared for some asks by their risk management teams to ensure the company gets compliant with the new requirements. Privacy protection may quickly become another enterprise risk that organizations will need to monitor and address.

10,000 Foot View of the CCPA

Safeguarding personal information from corruption, compromise or loss is paramount today.  Similar to Europe’s GDPR, the CCPA   strives to protect the consumer’s right to be informed of how their personal data is handled, used, and distributed.  

Who is Affected?

The CCPA affects a wide array of organizations and businesses in California as well as those that do business in the state or with California consumers. It will apply to a business if it meets one or more of the following:

  • Has annual gross revenues in excess of $25 million
  • Alone or in combination, annually buys, receives for the business's commercial purposes, sells, or shares for commercial purposes, alone or in combination, the personal information of 50,000 or more consumers, households, or devices
  • Derives 50% or more of its annual revenues from selling consumers' personal information

There are a few exceptions about the kind of consumer data that the company collects. These exceptions include data protected by the federal Health Insurance Portability and Accountability Act (HIPAA), the Gramm-Leach Bliley Act (GLBA), the Fair Credit Reporting Act (FCRA), or the Drivers’ Privacy Protection Act (DPPA).

When Do I Need to be Compliant with the CCPA?

The CCPA technically went into effect on Jan. 1, 2020, but there is a six-month grace period until July 1, 2020, before the attorney general of California will enforce the CCPA regulations. It remains to be seen how the attorney general will prosecute infractions. For example, the California attorney general is allowed to bring a civil action to enforce the CCPA, but how frequently? Under what circumstances? Civil penalties for intentional violations of the law could result in fines up to $7500 per infraction. 

What CFOs Can do to Help with Compliance

For those organizations that made the effort to comply with GDPR, the CCPA should be an easy transition. Companies that were not affected by the GDPR may need to follow a few key steps to help their organization become compliant.

Risk management teams will need to develop privacy policies and notices to ensure the policies include new language explaining what types of personal information the organization collects from California residents and what purpose that collection serves. Processes will also need to be updated to ensure the organization follows protections for consumer rights, including disclosure of data usage, access to personal data, the ability to delete data if requested, anti-discrimination, opt-out/in website requirements, and privacy policy requirements.

CFOs will want to note that additional investment may be needed in order to update data processes and systems. A key element of the CCPA requires organizations to track specific information on consumer data, which may mean new technology solutions to assist with data inventory. The organization will also need a process for documenting and responding to customer requests, which may also require some additional investment.  

For many, figuring out how to comply is a daunting task. For some, it may not even be on the radar, but getting started and familiarizing yourself with the CCPA is an important first step. As data privacy continues to be an area of concern for U.S. citizens, we expect to see data privacy laws and protection increase.

Future Implications

As one of the first states to implement such a robust privacy law, California opens up the door for other states to enact similar privacy protections. The CCPA sets the bar for consumer rights and protection in the U.S. 

Financial leaders should keep up-to-date on what their organization is doing to ensure CCPA compliance. CCPA noncompliance and penalties will have a broader impact on the organization if incurred.  

For More Information

For assistance in preparing for the CCPA, or for additional information, contact us.

Why Change Auditors

Published on January 23, 2020