In the world of data privacy, startups have an advantage over more established companies with the opportunity to manage customer data more closely and mindfully from the outset. With this mindfulness comes the opportunity to create differentiation and build customer trust by demonstrating responsible management of customer data.
On January 1, 2020 data privacy has come to the forefront in the US with the new California Consumer Privacy Act (CCPA) going into effect. This new data privacy legislation follows closely on the heels of the roll out in 2018 of GDPR regulations focusing on European data privacy.
Think CCPA is only for large companies? — think again…You are a startup, how many users to do you have? More than 50,000 — then CCPA would apply to you… And for later stage startups, you are quite possibly generating more than $25M revenue, another threshold for complying with CCPA.
While companies meeting specific CCPA business and location thresholds are required to comply, increasingly customers and employees may expect you to comply with the CCPA standard, irrespective of whether you are technically required by the CCPA or not.
CCPA Business & Location Thresholds for Compliance
Even if you are not strictly within the scope of the CCPA, you may want to get ahead of compliance — as customers become increasingly used to being able to manage the personal data stored by companies, they will notice the absence of these rights on your website.
In essence the CCPA may be viewed as a de-facto US-wide law in practice.
For new companies starting out there is the opportunity to build data privacy compliance into your processes from the beginning to minimize exposure downstream, and build a relationship of trust with customers from the outset.
Be Mindful: Build privacy protection into your processes from the outset to minimize exposure downstream and build a relationship of trust with customers.
The CCPA provides individuals with new rights regarding their personal data and how it is stored and how it is used by businesses. Under the CCPA, there are 3 main rights individuals related to their data
These rights now place significant responsibilities on companies in terms of being able to know what personal data they are storing, being able to find what data they are storing and also being able to delete this data if requested.
Be Mindful: Keep track and secure any personal data you store, and only store what you really need to store.
Customer data sits in many places, including cloud storage, emails, customer support chats, and cloud SaaS services, such as Salesforce, Marketo, Google Analytics, Zendesk, and Hubspot.
The scope of data covered under CCPA is vast and once a data request is made by an individual, the company needs to be able find ALL the data relating to that person, including any of the following:
CCPA requires companies to respond within 45 days to a data request and also keep records of requests they receive under the CCPA and how they responded.
Be Mindful: Keep a close inventory of where you are storing customer data and avoid data sprawl to minimize security exposure and the effort to respond to CCPA requests downstream.
There are onerous fines and legal liability for data that is accessed without authorization. CCPA allows for regulatory action from the California Attorney General, and/or allows individuals to sue directly (which in California, can mean class action lawsuits). The fines/legal liability range from $250 to $7500 per record violated. This means that the regulatory and/or legal liability can potentially exceed the revenue or assets of the company.
With the high potential liability associated with having unauthorized data access, startups are well advised to get ahead of discovering and managing the kinds of information they have stored in different places and understand how data is being used. Once a data inventory has been performed, decide what data is necessary to keep going forward and what should be deleted.
Be Mindful: Build CCPA compliance into your processes. Don’t wait for a breach to implement a privacy program for personal information.
Please visit us online for more information on the Docuvision Privacy Portal Generator and getting your privacy program up and running.
DocuVision.ai: Privacy by Design