We’ve all been hearing about the California Consumer Privacy Act of 2018 (CCPA) and how it may or may not affect your business. There have been plenty of articles written on which companies this new law will affect.
But how will this affect your business practices – both monetary and operationally?
As a reminder, you will be affected by CCPA if your company:
- Applies to any organization does that “does business in the State of California” not just businesses residing or incorporated in California
- Earns $25 million or more in revenue per year
- Annually buys, receives, sells, and/or shares the personal information of 50,000 or more consumers, households, or devices, alone or in combination
- Derives 50 percent or more of its annual revenue from selling consumers’ personal information
In addition to the above, there is a broad exemption for your business under the federal and California healthcare privacy laws, and it excludes PI collected, processed, sold, or disclosed pursuant to federal and California laws regulating financial institutions. These exemptions were expanded by the August amendment.
The CCPA will take effect on January 1, 2020, but certain provisions under the CCPA require companies to provide consumers with information regarding the preceding 12-month period – meaning that activities to comply with the CCPA may well be necessary sooner than the Jan 1, 2020 date.
OK – we’ve heard this before, but what does it mean to your business?
At the Agent/Supervisor Level:
- You must inform consumers at or before the time of gathering the data what the purpose of collecting the data is for. Informing the consumers that are using online methods can easily be done with some policy language changes. Consumers that are calling directly to an agent will require the agent to inform consumers – increasing your Average Handle Time (AHT), resulting in less calls per agent throughout the day.
- You must inform consumers that they have the right to “Do Not Sell My Personal Information” whether that information is available online through an opt-out tool or informed at the agent levels – thereby further increasing your AHT.
- If the consumer requests a copy of their PI, the business must deliver a copy in a usable format that allows it to be transmitted easily. This may require technical changes to your software, depending on how it is currently gathered.
Potential Technical Changes
Obviously, the technical changes include the above, but there are some other specifics that should be addressed as well.
- If a consumer has engaged their right to “Do Not Sell My Personal Information”, a business cannot solicit an opt-in for 12 months following an opt-out. There must be two or more methods for submitting information requests. This means a comprehensive tracking system needs to be put into place to ensure compliance.
- Increased Payroll:
- With a potential increase in AHT (from longer engagements with consumers to inform of policy changes), efficiency levels will decrease
- Depending on the number of consumers requesting PI information sent to them,
- Increased Technology Costs:
- One-time costs will include changes required to online policy statements, creation of opt-out policies and development of a tracking system for consumers requesting data
- Potential fines:
- Civil penalties of up to $7,500 per violation, following a notice and failure to cure the violation within 30 days of notice
Are you ready? Maybe you are in some areas and not in others. Hopefully this will help you determine what steps to take to minimize the costs to your business. If you need help, contact CH Consulting Group – we can help you assess current state and create a strategic roadmap that ensures you are compliant with CCPA.