Earlier in the month we published an article on the creation of the California Consumer Privacy Act and the rights it seeks to afford business customers. So why should IT professionals be concerned with CCPA? As organizations discovered during the GDPR transition, many areas of security, data storage, and compliance management falls under or includes the IT team. So the obvious initial questions are: What are the consequences of non-compliance? and What steps can businesses take to comply with these types of consumer privacy laws?
Keep reading to find some answers.
Consequences Of CCPA Non-Compliance With The CCPA
The California Attorney General can levy CCPA penalties on any non-compliant company doing business in the state. The civil penalty for intentionally violating the Act can be as high as $7,500 per violation.
Consumers also have the right to seek relief for any damage done by the sale of their personal information. Statutory damages can range from $100- $750 per California resident per incident. That can add up quickly.
What Steps Can Businesses Take to Comply With The CCPA
- Include Opportunities to Opt Out of Personal Data Sale or Collection on Forms and Pages
Businesses are required to supply a link or button on the homepage that allows consumers to opt out of the sale of their personal data. Typically, the title of the link is “Do Not Sell My Personal Information.” They should also refrain from selling the personal information of any consumer below 16 years old without their or their parents’ affirmative consent.
- Develop Processes and Systems to Handle Consumer Data Disclosure Requests
Businesses must provide at least two ways (telephone and website) through which consumers can submit their requests for certain information about the privacy information, as provided within the rights of these consumers. The telephone number must be toll-free. A website is required, too. When businesses receive any request from a consumer concerning this information, they must reply within 45 days.
- Be Sure Not To Offer Different Services to Consumers Based ib Whether They Opt Out Of Data Collection or Sharing
Businesses must still conduct business with consumers that exercise their privacy rights as provided under the Act without any discrimination. They must not deny such consumers goods or services. They must not provide a lower quality of goods, services, or charge a higher price because of this. The only exception to the pricing requirement is “if that difference is reasonably related to the value provided to the consumer by the consumer’s data.” Under that condition, businesses can charge a higher rate. Of course, that clause may be interpreted differently, and might turn out to be a major loophole.
- Familiarize Yourself With Consumer Compensation Plans for Sharing Data
Businesses can offer money to consumers in exchange for their personal information. If the consumers agree, they would have relinquished their rights to the businesses.