California’s Consumer Protection Act (CCPA) is coming into effect January 1, 2020, bringing with it broad changes in how businesses are allowed to collect, use, and share their customer’s personal information.
The type of personal information in question includes almost any data that is a personal characteristic or behavior. This includes biometric data, household purchasing information, geographical location, financial choices, as well as almost every metric that can be gleaned with sophisticated analytical software tools.
So, generally speaking, almost all data collected by today’s businesses, -for use in marketing research, customer service improvement, and strategy,- are going to be subject to the incoming rules set by the CCPA.
The vast quantity of data involved in CCPA’s scope means that becoming compliant is a big undertaking; leaving many businesses unsure on how exactly to respond. This leaves many CIO’s asking the question:
Can my company’s content management system (CMS) and data management practices be made to comply with CCPA’s privacy laws?
If you’re unsure of the answer, don’t panic. There is time for a review and adjustment of your CMS before the calendar flips from 2019 to 2020.
Let’s take a quick look at the basic outline of the CCPA and its potential implications on businesses who will ultimately be affected by it:
What is the California Consumer Protection Act (CCPA)?
CCPA is a California bill passed in July of 2018 to protect the privacy and rights of consumers residing within the State of California. The CCPA bill will give California residents far-reaching power over the use and distribution of their personal information. As of January 1, 2020, California residents will be granted the right to:
- Know what information is being collected about them.
- Know how their personal information is being used.
- Opt-out of sharing personal information with businesses without repercussions.
- Request the deletion of their personal information by businesses who fall under CCPA’s criteria umbrella.
A chief objective of CCPA is to enable California residents to have control over the collection and use of their personal information. It’s a unique state-based privacy law that has gained international attention and, is somewhat similar to the EU’s recent GDPR regulations.
Businesses that aren’t prepared to comply with California’s new privacy bill may be subjected to costly litigation and hefty financial penalties. And, California based businesses are not the only ones expected to abide by CCPA’s privacy measures.
All businesses that offer goods and services to residents within California are required to comply with California’s Consumer Protection Act (CCPA) as of January 1, 2020.
Why? Because CCPA legislation is designed to protect the residents of California. So, businesses based outside of California but do business with California residents will be expected by the State of California to comply with CCPA legislation.
Who needs to comply? Essentially, any business that can collect, store, use, or share, personal information belonging to a California resident, and, also meets the criteria of the CCPA, is required to comply. Businesses that adhere to CCPA’s legislation must also meet at least one of the following criteria:
- Have an annual revenue of over $25 million USD.
- Over 50% of total revenue is generated from selling personal information.
- Purchases, collects, or shares, personal information from more than fifty thousand consumers, households, or electronic devices from within California.
How does a company’s CMS need to change to meet CCPA compliance?
Businesses that comply with CCPA will need their CMS to be able to:
- receive consent from their users before collecting their personal data.
- Inform users on how their personal information will be used.
- not revoke or reduce services to users that choose to opt-out from sharing their personal information.
- delete a user’s personal information upon request.
- inform users how their personal information has been used, upon request.
- ensure collected personal information is secure.
What are the penalties of non-compliance with CCPA?
Penalties associated with CCPA non-compliance are some of the harshest penalties yet in the privacy arena of law. Businesses that do not comply with CCPA’s regulations could face the following penalties:
- Up to $2500 in fines for each unintended infraction.
- Up to $7500 in fines for each intended infraction.
With such high penalties, any resulting fines from non-compliance could easily skyrocket; potentially bankrupting a company. Therefore, it’s easy to understand how important it is for companies to get a firm handle on complying with the newest privacy laws before they come into effect. Auditing your company’s CMS and data handling procedures is an ideal place to start the process towards becoming CCPA friendly, especially when you consider the cost of an audit vs a data breach.
For an in-depth explanation of California’s Consumer Protection Act, click here.
How do we Achieve CMS Compliance for CCPA?
CIO’s aiming to attain CCPA compliance should prepare for a serious review of their current CMS. They need to ask if their current CMS can properly support their company’s ability for compliance with California’s privacy laws.
When the new laws come into effect a company’s CMS should have trustworthy features that can uphold, respect, and protect their customers’ personal information. Some examples of what CMS’s need to achieve are:
- Consent Management
- Data Portability
- Removal of Data Upon Request
Take an Open Source CMS Approach towards CCPA Compliance
One of the key strengths of Drupal is it’s security. Secure the assistance of expert Drupal developers is a smart and comprehensive option worth considering as part of their CCPA compliance process. Open source CMS options can be customized, facilitating compliance with the CCPA and other data privacy laws.