The California Consumer Privacy Act (CCPA) has become the most discussed, most complex and highly-anticipated privacy law in the US. It became effective January 1, 2020 yet still poses businesses in the startup industry with a daunting task: how to ensure compliance. This is a crucial task if startups want to remain competitive, not to mention keep out of trouble and fines.

When it comes to compliance, startups can find themselves in a tougher position than larger industry players when it comes to resources and personnel. They often lack the resources to ensure CCPA compliance and many don’t have an extra budget to outsource the compliance process. Working with an experienced consultant, attorney or the assistance of other legal professionals can be an option, even for smaller companies. But in this article, we will aim to provide guidance specifically for startups on understanding and meeting the requirements of the new California Consumer Privacy Act.

What is the California Consumer Privacy Act (CCPA)?  

The CCPA provides a tool for California consumers to protect their personal information. It gives consumers the right to know what information is being collected about them, where it is being shared and used, and to control the transfer of their data.

The CCPA imposes several legal obligation on businesses that process, share, or sell data of California residents. These privacy obligations are enforced through a combination of private enforcement (including the right to file a lawsuit) and administrative enforcement.

Who is Subject to the CCPA?  

The CCPA applies to businesses with annual gross revenues over twenty-five million dollars, companies that buy or sell the personal data of fifty thousand or more California residents, households, or devices, and companies that derive more than or equal to half of their annual revenues selling personal data.

The CCPA applies to all types of businesses, including startups. It is important for businesses to determine if the CCPA applies to them and their data practices. It is important to note that businesses that don’t meet the CCPA threshold may be subject to California’s new Data Broker Regulations which also went into effect in January 2020.

Steps for Establishing CCPA Compliance  

For startups that are subject to the CCPA, the following steps should be taken to ensure compliance:

  1. Perform a Data Security Analysis

Startups need to analyze their data security practices to determine if they are in compliance with the CCPA and GDPR. This analysis should evaluate the security practices of the business, including data storage, data transmission, and data access authorization.

  1. Create a CCPA Compliance Notice

Startups must create a CCPA Compliance Notice and make it available to the public. This is a crucial requirement of the CCPA. The notice should provide information on the type of data collected, how it’s used, how it’s shared, and how it’s safeguarded. The CCPA requires businesses to provide a link to the notice on the homepage or within the footer of the website.

  1. Create a CCPA Opt-out Page

The CCPA requires businesses to provide a mechanism for their customers to opt-out of the sale of their personal data. This opt-out page must include detailed information about the opt-out process and must be prominently displayed.

  1. Create a Data Access Request Page

The CCPA requires businesses to provide a process for customers to access their personal data to verify, delete, and/or request a copy of their data.

  1. Implement Data Security Protocols

The CCPA requires businesses to take reasonable steps to ensure the privacy and security of the collected personal information. This can include data encryption, data pseudonymization, and two-factor authentication, as well as regular data security audits.

  1. Create an Employee Training Program

Employees must be trained on the CCPA regulations to ensure they understand their obligations when handling personal information. Training courses must cover the privacy practices required under the law as well as any new updates.

  1. Download a CCPA Compliance Checklist

Finally, a CCPA compliance checklist must be downloaded and filed to ensure the CCPA requirements are met. This will help startups keep track of which requirements have been met and which have still left to tackle.

By understanding the requirements of the California Consumer Privacy Act and taking the necessary steps to ensure compliance, startups in the state of California can protect their customers’ personal information and avoid possible legal trouble or fines. Startups do not need to outsource their compliance process, but if resources are available, the guidance and assistance of a legal or consulting professional can be helpful. By downloading a CCPA compliance checklist and performing the necessary data security analysis and training, startups can ensure they remain compliant while operating in the state of California.