Avoiding Sephora’s Fate: Demonstrating and Sustaining CCPA Compliance
When beauty product retailer Sephora was recently slapped with a $1.2 million fine—the first enforcement action under the California Consumer Privacy Act (CCPA)—organizations across the country took note. Or at least, they should have, considering only 11% of companies are currently able to fully meet CCPA requirements, according to CYTRIO’s State of CCPA Compliance: Q1 2022 research. The truth is, when faced with myriad business priorities including mounting compliance requirements, many companies are doing the bare minimum—relying on checkbox-style security and privacy, a wing and a prayer. But this shortcut style will catch up with you quickly and the effects can be devastating to your business. To build and sustain a strong security posture, companies need to embed security and multi-compliance support into the very fabric of the organization.
The Compliance Journey
With the California Privacy Rights Act (CPRA), an addendum to the CCPA, going into effect in January 2023—and with more states like Washington, Virginia and New York looking to create similar privacy laws to protect consumers—this is just the beginning of the compliance journey for many organizations. Not to mention, as the business grows and you enter new regions, you may find yourself faced with GDPR requirements in the EU, PIPEDA expectations in Canada and HIPAA enforcement in the U.S. health care market. In addition, the work done to comply with CCPA applies to other major security, privacy and data protection frameworks and regulations, putting your organization at an advantage.
So what are companies failing to do when it comes to CCPA compliance and how can these organizations improve? A lack of understanding of scope and extent may be at the root of the problem. The CCPA gives California consumers significantly more control over how businesses collect and use their personal information and the law applies to any for-profit business operating in California that meets one of the following conditions:
• The business derives at least 50% of annual revenue from sharing or selling the personal information of California consumers.
• The business has a gross annual revenue of over $25 million.
• The business buys, sells or shares the personal information of more than 100,000 Californian consumers or households.
CCPA Requirements
Armed with a clearer understanding of CCPA requirements, companies need to assess where their current security processes, controls and policies around data collection, storage and use fall short. The following best practices will help your organization demonstrate and maintain CCPA compliance, protect you from lawsuits and data breaches and strengthen your overall security posture:
1. Review Your Data Security Procedures and Practices
• The CCPA requires businesses to “implement and maintain reasonable security procedures and practices” but doesn’t outright define what this means. Some things you can do include:
• Implementing a security framework. A security framework, like SOC 2 or CIS Controls, can improve overall cybersecurity and protect consumer data.
• Conducting a penetration test. A penetration test can help you identify and shore up vulnerabilities in your current infrastructure or strategy.
• Investing in a security management platform. A centralized security policy platform with support for CCPA compliance can ensure that your policies are up to date and compliant.
2. Provide Staff Training for Handling Personal Information
The CCPA allows consumers to demand businesses take specific actions regarding their personal information, including handing it over or deleting it. For CCPA compliance, you’ll want to make sure you have developed policies and procedures to support these demands, and that your staff knows what to do when they arise. Include in your training:
• How to identify what is personal information under the CCPA
• What legal responsibilities a company has under the CCPA
• How to handle a suspected breach
3. Assist Consumers with Exercising Their Rights Under the CCPA
You’ll need to provide a way for your consumers to exercise their rights under the CCPA. The exact method you choose will depend on your company and its infrastructure. You may:
• Include conspicuous banners or pop-ups on your website that inform California residents of their rights and allow them to opt in or opt out of data collection.
• Create forms or provide contact information for fulfilling consumer rights requests.
• Automate processing customer requests to accelerate the handling of requests.
4. Implement a Process to Comply With the Look-Back Requirement
Although the CCPA doesn’t explicitly mention “look back” in its language, it does include a 12-month retroactive requirement. When a consumer requests to access their personal information, you must be able to provide records covering the one-year period preceding the date of the request. If you haven’t already, create a data inventory using a classification method to identify what personal information falls under CCPA compliance requirements. Keep this on hand in the event of requests.
5. Update Your Website
Many websites now include banners, links in the footer menu or other features that allow users to opt in or opt out of the various data collection processes that businesses use. If you haven’t updated the company website to reflect this, you should do so now. Make sure that these links are:
• Conspicuous. People shouldn’t have to look for them.
• Clear. Use plain English and provide important information in a readable format. In some cases, you may have a requirement to label a link with CPPA-specific language such as the “Do Not Sell My Information” requirement.
• Concise. Avoid long-winded disclaimers that hide important information. State what needs to be said and nothing else.
As more jurisdictions start to allocate resources to enforcement and the scope of privacy laws grows, companies need to prioritize security and privacy to avoid devastating impacts. Implementing robust security and privacy programs from the start–designed for multi-compliance and built on best practices–will ensure your organization can demonstrate a strong security posture and quickly and efficiently meet mounting compliance requirements to avoid the same unfortunate fate as Sephora.
