For any startups based in California or selling products/services to those in California, it is vital that you understand and comply with the CCPA - the California Consumer Privacy Act. 

This is a state-wide data privacy law that offers regulation in terms of how companies all over the world are able to handle the personal information of residents in California.

Representing the first law of its kind in the United States, no start-up can afford to ignore this piece of legislation. With that being said, below, we are going to reveal everything you need to know about CCPA compliance and how to implement it. 

Image source

What is CCPA compliance?

There is only one place to begin, and this is by explaining what CCPA compliance is. The California Consumer Privacy Act gives customers greater control over the personal information that companies collect about them. 

The landmark legislation gives consumers in California the following privacy rights:

• The right to non-discrimination for exercising their rights in terms of CCPA
• The right to opt-out of their personal information being sold
• The right to delete personal information that has been collected from them, with a few exceptions
• The right to know what personal data a company collects about them and how it is used and shared 
  

You may sometimes see the abbreviation ‘CCPA’ and ‘CPRA’ used interchangeably. This is because a recent update has seen the CPRA replace the CCPA. Osano's guide to the CPRA is a good place to find out more information about this.

The California Consumer Privacy Act of 2018 was replaced by the California Privacy Rights Act of 2020. There are some requirements that remained the same, whereas others were changed. 

When we talk about CCPA compliance, we also mean complying with the newest CPRA regulations. You can't simply pick and choose.

Image source

What is covered in the CCPA?

As the CCPA provides users with greater control over their data, a lot of the regulations cover the many in which companies gather and distribute private information that is collected via their website and other digital methods.

Users will contact the company and ask for information about their data usage and storage, and businesses need to comply with certain requests. This includes requests from users for the following:

• All of the data they have collected and stored
• A list of the third parties that have access to the person’s data
• The company’s reason for collecting the user data and selling it
• Every category of source whereby the data is collected, for example, medical, contact, financial, and so on
  

Aside from this, businesses need to take action if the user requests the following:

• Their data to be ported
• To stay safe from discrimination for requesting the control of their data
• Stop the sale of their data
• Ask for their data to be deleted

Do you need to comply with CCPA?

Before we reveal some of the different ways you can ensure CCPA compliance, let’s take a look at who needs to comply with CCPA so you can determine whether or not this is relevant to your business.

Any company that gathers data on Californian residents (even if it’s just one!), needs to make sure they are compliant.

Professionals believe that these regulations are going to drive similar laws in other states in the United States as well, ensuring users have more control over their data. Therefore, this is only the beginning when it comes to user privacy. 

If you do not work with California data at the moment, you should still track the details relating to CCPA so you can fully comprehend the regulations and what is likely to be expected of you in the near future.

Some of the other indications that you need to follow the CCPA regulations are as follows:

• You have a yearly gross revenue income of a minimum of $25 million
• You gather data for commercial reasons on a minimum of 50,000 customers
• A minimum of 50 percent of your yearly revenue comes from selling products or services 

‍

Image source

Advice on how your start-up can become CCPA compliant

When cybersecurity is involved, CCPA compliance can be complicated and convoluted. However, there are some steps that you can follow to make sure that your new business does not fall foul of the law when it comes to data security. 

1. Put together a team or assign an individual who can manage data privacy - The first step is to make sure you have a dedicated web development team or person who can handle all of your business’s compliance standards, including CCPA. This team should ensure the right cybersecurity methods are implemented surrounding data protection. You may think that it will cost a lot of money to have a dedicated team or role for security and compliance. However, the cost of not doing so would be much, much greater.
2. Inventory your data to discover what needs to be gathered and protected - Once you have a team in place, you need to understand how data is collected and also how it flows from one system to the next. Put together a roadmap like this so that you can understand what data you are gathering and what cybersecurity controls are needed. If you do not know what data you have, you are not going to be able to protect it. 
3. Carry out a risk assessment - Next, doing a risk assessment is important. During this, your business will be able to find out what data you have and what systems are used to store this data. You will then be able to generate different strategies, which include unknown infrastructure. Every business is different. However, by understanding the risks relating to your data, you can make sure that you have the best provisions in place to ensure that issues do not manifest in the future. 
4. Develop tools for data protection and implement them effectively - You can either use custom code to create your own tools or you can use third-party implementations. It depends on the size and experience of your business, as well as your resources. From access controls to advanced cybersecurity, there are lots of layers of protection that you should be using to ensure that data is safeguarded such as these best no logs VPNs.
5. Define governance and policies over data - Next, you need to have data protection policies in place. These policies should oversee the monitoring and mitigation of consumer data, including supply chain risk management and vendor access. 
6. Maintain an audit trail of all of the procedures and policies you use for data privacy - Last but not least, do not ignore the importance of policy and auditing trails. Make sure you review your policies on a regular basis, as the data landscape is changing all of the time. Identify any mistakes you have made or lessons you need to learn so that you can make improvements in the future. 

Are there any penalties for businesses that do not adhere to CCPA?

Yes, there are! You will not simply get off with a slap on the wrist if you do not adhere to the CCPA regulations that are in place. After an audit has been carried out, you may receive a notice that your systems are not compliant. If this is the case, you will have 30 days to fix the issue. If you do not, you could have a $7,500 fine to pay for every issue. 

Furthermore, for every data breach, users will be able to seek $750 in damages. However, this is the only beginning. You will have to spend a considerable sum of money on getting to the bottom of the issue and rectifying it. 

If that was not enough, your reputation could end up in tatters. Customers will no longer trust your business anymore. Trust takes years to build but only a matter of seconds to be ruined. This is something that no start-up can afford, which is why we have seen many shut their doors permanently after a data breach.

Did you know that 60 percent of small businesses permanently close within six months after falling victim to a cyber-attack or data breach?

Don’t cut corners when it comes to CCPA compliance

We hope that this guide has helped you to get a better understanding of CCPA compliance so that you can make sure your start-up adheres to the rules that are in place. 

User privacy and data security are not areas whereby any business can afford to cut corners. If your business was found to be non-compliant, the fines alone would be enough to cripple a small business and force them to close its doors. 

With that being said, follow the tips and advice that we have provided above to make sure that your business achieves CCPA compliance effectively.