With the New Year approaching, many Minnesota businesses should be thinking about California. Not for a warm place to visit, but to comply with the California Consumer Privacy Act (CCPA). The new law, which takes effect Jan. 1, will require many Minnesota businesses to comply with its requirements for protecting consumers’ privacy or face the possibility of fines and private legal actions. If they haven’t already, Minnesota businesses should act now to understand CCPA, adopt appropriate data practices and manage the risks CCPA may bring.
CCPA gives consumers the right to know what personal data is collected, how and why it is being collected, and with whom the data is being shared. Consumers are also entitled to access their data, request that it be deleted, and prevent it from being sold to third parties. The new law will affect any company that collects or processes personal information about California residents and has annual revenue of at least $25 million; buys, sells, receives or shares for commercial purposes data on at least 50,000 people, households or devices; or derives 50% or more of its revenue from collecting and selling consumer personal information.
For example, if you are collecting information from California residents via your website, you may need to comply with CCPA if you meet one of the three general criteria listed above. California’s attorney general will enforce the CCPA, but consumers may also be entitled to bring a private right of action for violations.
If a company is subject to the CCPA, it should create a compliance action plan and begin to assess related enterprise risk. This will be a lighter lift for those that have already performed this exercise for the European Union’s General Data Protection Regulation (GDPR). Companies not subject to the CCPA would still be well served to assess their data-collection practices, as multiple states in this country have already passed or are working toward enacting similar legislation. After all, California’s data breach law was, and remains, the standard after which many other similar U.S. state laws are modeled — and the same could happen with the CCPA in the realm of privacy.
The first step to compliance is to fully understand where your data on individuals is being collected and where it may be shared. Is data transferred to or from businesses or organizations in California, or to organizations that buy, sell or process data about California residents? How is data shared with vendors or third parties, including third parties processing employee data?
Next, review and update internal privacy and security polices. Update your online privacy policies and notices. CCPA policies require that you tell consumers what kind of third parties your data is shared with. Establish processes to respond to requests by consumer regarding their data. Your information-technology department will need to establish a way to retrieve this data quickly so you can respond to consumer requests in a timely fashion.
It’s also important to manage your vendors to ensure they are in compliance with CCPA. Contracts need to be updated, audits conducted and assignment of liabilities made clear. Undertake regular reviews of record-keeping practices and update for new requirements as CCPA regulations and enforcement practices evolve.
Violations of CCPA, as with other data breaches, could produce potential liabilities of millions of dollars or more in legal fees, fines, payouts to private parties, reputational harm, network fixes and other costs.
It’s prudent to evaluate your liabilities and determine what part of these risks should be covered by insurance. Keep in mind that general liability coverage does not typically cover the costs of CCPA violations and other data privacy violations.
Complying with CCPA makes sense for many, if not most, businesses. The legal trend here and in foreign markets is toward more privacy protections for individuals. Meeting stricter privacy standards is increasingly a critical part of doing business, now and in the future.
Dan Hanson is an insurance and risk management professional with Marsh & McLennan Agency LLC. He can be reached at firstname.lastname@example.org. This article is not intended to be taken as advice regarding any individual situation.