California Consumer Protection Act (CCPA): What it is and what it means to you
On January 1, 2020 the California Consumer Protection Act, or CCPA, went into effect. While the landmark law was officially passed last year, most Americans are just now catching wind of its sweeping changes to how consumer data can legally be processed and managed for California residents. That’s because clarity around the specific regulations of the law was just provided at the end of the California legislative session on September 13, 2019. Here are some key learnings about who the CCPA impacts, what is required of businesses who are impacted, and what the law could mean for you as an accounting or finance professional.
What is the CCPA?
The California Consumer Protection Act is privacy legislation that many have compared to GDPR (General Data Protection Regulation) in effect in the European Union from May 2018. At the heart of both pieces of legislation are mandates for more control for individuals over their personal information. The CCPA provides California residents (consumers) more control over their data and requires companies to be more transparent with what data they are collecting and how they are using that data.
The CCPA provides consumers with five new rights regarding their personal information including[1]:
- The right to request information on your business’ data collection, processing, and usage as it applies to them specifically. This includes what categories of information businesses have collected and if the information was disclosed or sold to third parties.
- The right to request a copy of any information businesses have collected about them during the previous 12 months.
- The right to have their information deleted (with some exceptions).
- The right to request that their information not be sold to third parties.
- The right to not be discriminated against because they have exercised any of these rights.
Learn more about these rights and what they could mean for your business.
Who does the CCPA impact?
Generally, a consumer under the CCPA means a natural person who is a California resident. The rights afforded under the CCPA apply to all consumers in this context. Therefore, any business who collects and/or processes information of California residents, whether these residents are your customers, prospects, employees, or otherwise, may be subject to the CCPA. For more details about who the CCPA impacts, read this article.
So, if your firm is in California, has employees in California, or has clients in California, you should be especially aware of the CCPA. Even if you don’t think the CCPA directly impacts your firm, it is a good idea to stay updated on the regulations and to implement best practices in your firm when it comes to data collection, processing, and storage. It is considered highly likely that the CCPA is the first of many privacy laws that will impact the United States in the coming years, so it will benefit every firm to pay close attention to how it is enforced and to act now to ensure your policies and procedures follow best practices and stay in compliance.
What does the CCPA mean for accounting & finance professionals?
As an accounting and finance professional, you handle sensitive information daily, including tax returns, financial statements, loan processing documents, employee information obtained during onboarding and more. It is your responsibility, and obligation under federal & state laws, to safeguard this information. Whether the CCPA directly impacts your firm or not, it is a good idea to follow some best practices for collecting, processing, and storing personal data.
Map your data flows
What data are you collecting and from who?
It is essential that you understand what data you are currently collecting from individuals (whether they are customers, prospects, employees, or otherwise) and why you are collecting this data. If there is no clear reason why you are collecting a piece of data, you should stop collecting it – this will save you a lot of headaches down the road.|
How are you collecting client data?
You also need to understand and map out how you collect data from individuals. Do they email this information to you? Upload to a secure portal? Bring in or mail physical paper documents?
Where are you storing client data?
Once you have this data, how and where are you storing it? Do you keep physical copies in a filing cabinet? Are copies left on a local computer? Are they on an encrypted hard drive? In a secure, cloud-based application?
Who has access to client data?
Then ask yourself, who has access to this data? If it’s stored in a filing cabinet, is it locked? Or can anyone open it? If copies are left on a local computer, are they password protected in any way? Who has access to any encrypted hard drives? Cloud portals? Do employees only have access to the information they need to complete their job? Or do you provide the same level of access to every employee?
Identify vulnerabilities
The act of documenting your data flow will likely uncover some vulnerabilities which you can then begin to rectify.
Some of the most common vulnerabilities we see in accounting firms are:
Storing data on local computers and/or in locations that are not encrypted.
If a computer or paper documents are lost or stolen, you’ll have no idea whose hands that sensitive data lands in. Ensure you have policies & procedures in place that prevent employees from saving sensitive documents to their local computer or printing sensitive information unnecessarily.
Having no central document store.
When data is disparately stored in multiple silos, it becomes difficult to effectively manage. Can you imagine if you were served with a request to delete all personal information of a consumer protected by the CCPA? If you have data stored in many different places, this request would be difficult and time consuming to complete with 100% accuracy. Not to mention the additional responsibility you have for the maintenance and data security for each document repository.
Employees have access to more data than is necessary.
It is always best practice to abide by the principle of least privilege. Only provide access to systems and data that are absolutely required for an employee to complete their job. Use groups or role-based security models for assigning access and permissions in your applications. This will provide greater control over who has access to sensitive data.
Consider having a single, secure document repository for all your client and firm documents. This helps you manage your data workflows and helps you easily comply with certain data requests from consumers under laws like the CCPA. Cloud-based applications like SmartVault make this easy for you, while also providing granular security permissions and an audit log so you always know who has accessed data and what they’ve done with it.
Create a data security policy
If you prepare taxes, you are already required by law to have a data security policy in place. If you don’t have one, it’s not as scary as you think. Learn more about creating your data security policy.
Have a plan in case of a breach
While you are taking proactive measures to avoid a data breach, it is best practice to have a plan in place in case data is compromised. This will ensure you are prepared for the worst, and can react in a timely manner should the unforeseen happen. Learn how to respond to a data breach.
Make sure you and your staff are trained on cybersecurity best practices
Training is your first line of defense in helping avoid a security breach. Ensure that you and your staff are up to date on the latest cyber crime tactics and how you can protect yourselves and your clients from these activities. We provide our tips for training employees here.
While regulations like the CCPA can seem daunting, the repercussions are real. If you are in the chain of custody of sensitive or confidential information, you have an obligation to take the necessary actions to protect your client’s data. Start with a few steps outlined here to help make your firm more secure. If you’d like more information on how SmartVault can help you secure your data, schedule a demo today.
**Disclaimer: This article does not constitute nor replace legal advice. We highly recommend all firms consult with their legal representative regarding the impact of any new laws or regulations on their business.
Resources
Here Comes America’s First Privacy Law: What the CCPA Means for Business and Consumers, by Jeff John Roberts, September 13, 2019
Does the CCPA Apply to Your Business?, by Joseph J. Lazzarotti, Jason C. Gavejian, Mary T. Costigan, and Maya Atrakchi, August 14, 2019
Countdown to CCPA #3: Updating Your Privacy Policy, by Catherine D. Meyer, James R. Franco, Fusae Nara, July 8, 2019
[1] https://www.pillsburylaw.com/en/news-and-insights/ccpa-privacy-policy.html