The California Consumer Privacy Act (CCPA) was enacted in mid-2018 and is meant to safeguard consumers’ privacy rights within the state of California. CCPA will enable Californians and Americans in general, to enjoy a range of privacy rights by subjecting businesses to stricter regulations. It will apply to both established companies and startups.
Even though the law will go into effect on 1st January 2020, startups ought to understand its critical components as well as what it takes to be compliant. Once the law goes into effect, clients will be able to demand disclosure of all personal data that your business collects from them. Therefore, CCPA seals all loopholes that were hitherto used by businesses to commodify consumer data.
What the Enactment of CCPA Will Mean to Startups
Just like it is the case with established businesses, startups collect personal details from clients, be it credit card numbers, social security numbers, or addresses. Sometimes, such data ends up getting misused. Likewise, some companies fail to disclose to their clients about the collection of this data in the first place. Until now, companies could do whatever they wanted with consumer data. This was brought to light by the Equifax hacking incident.
Regulators could only step in after such incidents, to penalize such companies. There was little that consumers can do on their part to ensure that their data doesn’t get misused. Thanks to CCPA, Californians will enjoy protections that echo what Europeans get via their highly successful GDPR law.
Data security remains a serious concern for most startups. The CCPA gives your clients more rights relating to how you collect, use, store, and transfer their data. Failure to provide disclosures can bring unnecessary regulatory scrutiny, which damages your reputation. If your startup directly collects and processes the personal data of California residents, you are mandated to adhere to the CCPA.
Similarly, you must abide by the legislation if more than 50% of your data comes from selling personal information. Companies with annual gross revenues exceeding $25 million also need to comply with the legislation. Under CCPA, personal data includes any information that identifies or can be linked directly or indirectly to a specific consumer.
How Startups Can Comply
For years, PCI compliance was widely considered by startups to be the gold standard of regulatory compliance. CCPA promises to change the compliance landscape altogether since it focuses on controls that give consumers a say about their data. The CCPA compliance journey starts with examining and understanding all your startup’s data flows, especially those that involve personal data.
To comply, you must move away from business practices that aren’t CCPA-compliant. Similarly, you should understand how your business currently uses customers’ data as defined by CCPA. Internal stakeholders should be involved in this since they will help you pinpoint how and where personal data is collected, stored, used, and transferred. Your startup cannot be compliant if you don’t have a clear picture of personal data flows within your systems.
Most startups have a data privacy policy in place. You need to ensure that whatever policy you have in place meets the requirements of the CCPA. Likewise, you should understand the specific rights that the legislation grants consumers. Compliance requires an in-depth understanding of how the rights apply to a startup based on its business models. Staying compliant might mean updating your data security and privacy policies to match the CCPA requirements, which will undoubtedly keep changing once the legislation is enacted.
Does CCPA Stifle Startups?
The passing of the CCPA was met with widespread apprehension and displeasure, especially from Silicon Valley, which is the hub of startup entrepreneurship in California. Contrary to public perception, CCPA isn’t meant to stifle startups or even large corporations. It only seeks to protect consumers from the misuse of their data. Just like it was the case in Europe, startups will face a big headache when it comes to complying with CCPA.
Updating your startup’s data privacy and security policies requires a lot of work. Nonetheless, it’s a worthwhile undertaking since it proves to your clients that you are willing to protect their data from misuse. Startups that rely on personal data for targeted advertising are likely to be affected since CCPA somehow clashes with their business model. Therefore, you should take deliberate steps towards ensuring that you comply with the legislation even before it comes into effect.
According to Fortune Magazine, the proper implementation of CCPA can make it one of the best privacy laws ever enacted. Even with all its good intents, there are lots of compliance issues that need to get addressed before the legislation comes into effect. For instance, if you have a mailing list containing the names and email addresses of your clients, should you be worried about being accused of storing customer data? Hopefully, such concerned will get addressed in due course.