If the California Consumer Privacy Act (CCPA) applies to your business, there is no question you should already be in compliance with the privacy law. Enforcement began in July 2020, and with the creation of the California Privacy Protection Agency (CPPA), the expectation is that enforcement activities will increase dramatically. Some businesses have held off on making the required changes, as they weigh the risks and costs of non-compliance. Others may not yet realize that the CCPA applies to their business.
But what about those businesses that are not (currently) required to comply with the CCPA? It’s tempting to just breathe a sigh of relief and go back to business as usual. The initial compliance effort can be a lot of work and smaller businesses are often worried that they don’t have the resources for it.
Despite this, there is a strong business case for becoming CCPA compliant even if the law doesn’t apply to your business. Here are the major reasons why.
Consumer expectations are evolving rapidly when it comes to data privacy. People are more aware than ever of how much personal information they share with businesses. They want to know how it’s being used and they want to have some amount of control over it. By putting data practices out in the open and giving consumers the opportunity to make privacy requests, which is the essence of CCPA compliance, businesses can build a great amount of trust and goodwill.
Of course, most people don’t actually read privacy notices or make deletion requests. They do, however, want to see some outward expression that a business is taking their privacy seriously. Certification of CCPA compliance is a perfect opportunity to do just that.
When the CCPA first went into effect, it was mostly the larger businesses that were ready to be compliant from day one. This wasn’t surprising to anyone; big companies have the compliance staff, web developers, and resources in general to quickly adapt. They are also much more likely to come under scrutiny from the California Attorney General. Medium-sized businesses mostly came along later as they realized compliance was not going to be optional, and as better compliance solutions came on the market.
Because of this, and because the subject of data privacy makes people think of giants like Facebook and Google, CCPA compliance is associated in the minds of consumers with large, established companies. With a relatively low investment cost, smaller businesses can use CCPA compliance to signal to consumers, especially B2B clientele, that they have a comparable level of organization and staying power.
Because of this, and because the subject of data privacy makes people think of giants like Facebook and Google, CCPA compliance is associated in the minds of consumers with large, established companies. With a relatively low investment cost, smaller businesses can use CCPA compliance to signal to consumers, especially B2B clientele, that they have a comparable level of organization and staying power.
In one form or another, compliance with data privacy laws like the CCPA will be the way of the future for businesses operating in most U.S. states, if not nationally. The European Union’s General Data Protection Regulation (GDPR) was passed in 2016, followed by the CCPA in 2018. Nevada has since passed its own lighter version of the CCPA, and in March 2021 Virginia signed the Consumer Data Privacy Act (CDPA) into law. Washington and New York have both introduced similar legislation and are expected to pass something in the near future.
All of this new legislation is based on the CCPA and the GDPR. If Congress decides to take up the data privacy issue and pass a federal law, there is a good chance it will be based on the CCPA. Perhaps in part for this reason, many large corporations, such as Microsoft and Samsung, have decided to extend CCPA consumer rights nationally and even globally.
For small businesses with an online presence, it’s a question of when, not if, one of these new privacy laws will apply to them. If they are already CCPA compliant, it will require much less effort to comply with a similar law from another state. Getting out ahead of those other laws will save a lot of work down the road.
If a business is voluntarily complying with the CCPA, it’s only reasonable to want to convey that fact to consumers. For that reason, the California Privacy Rights Act (CPRA) states that a voluntary certification program is to be created and administered by the CPPA in the future. At this point, however, no such program exists and the details are unknown.
SafeBase provides an accessible and transparent way to communicate not only CCPA compliance, but a wide variety of other information such as cybersecurity and risk assessments via a public-facing Security Status page. It’s extremely helpful for onboarding vendors and for any other B2B transactions that require auditing (including knowing whether a company is a CCPA service provider), In addition, it can also give any consumer the confidence to know their personal data is safe.
CCPA compliance can be daunting for small businesses. Handling it internally can take months and lead to costly mistakes, while hiring a law firm or consultant costs tens of thousands of dollars. Faced with these choices, it’s understandable why many executives would rather avoid it if possible.
TrueVault Polaris makes CCPA compliance fast and affordable by automating the process, beginning from scratch and going all the way through to responding to consumer requests. By providing a guided, step-by-step experience, TrueVault Polaris combines the savings of keeping it in-house with the expertise of hiring an entire law firm.
Contact our team today to learn more!