This year, Europe’s GDPR regulations sparked sweeping changes in the way companies handle consumers’ private data—not just European companies, but all companies. Since the GDPR applied to any organization that might, at some point, handle an E.U. citizen’s information, almost all internationally-recognized businesses were affected (you may recall the slew of we’re-updating-our-privacy-policy emails you received around this time.)
Now, in the U.S., California is implementing a similar set of protocols, called the California Consumer Privacy Act, or CCPA. Just like the GDPR, the CCPA will apply to organizations far outside of California’s boundaries—meaning that, regardless of location, accounting firms and CPAs should be paying attention.
Below are some frequently asked questions about the CCPA, and tips on how accountants can prepare for it.
When will the CCPA go into effect?
The CCPA, which was signed in June 2018, will go into effect on January 1, 2020. The American Bar Association states that the California attorney general, who will generally enforce the CCPA, will adopt the regulations on or before July 1, 2020, and will be able to being enforcement actions starting on that date.
What will the CCPA do?
The CCPA will force companies to reveal what data they’re collecting on their Californian clients, as well as whether or not they’re selling said data to private entities. The law will also require companies to give consumers a clear opt-out option to prevent the sale of their information and/or erase their information from a company’s database.
Who does the CCPA apply to?
The CCPA will apply to all for-profit businesses, firms, and organizations that currently collect personal data on California residents. As previously stated, this includes organizations that aren’t physically located in California. Even organizations with just one Californian client will be legally obligated to comply, or face hefty non-compliance penalties.
Why should accounting firms prepare for the CCPA?
Let’s talk more about those penalties. According to the CCPA, if a business “has failed to implement and maintain reasonable security procedures and practices,” it can be fined for up to $7,000 per incident. That means that if your accounting firm has one thousand clients in your database, a single security breach could potentially rack up fines totaling $7,000,000. Obviously, that’s enough to devastate most accounting firms.
If my firm already prepared for the GDPR, am I covered for the CCPA?
No, but you are close. There are additional requirements you’ll need to meet for the CCPA, including categorizing the personal information you’re collecting, as well as ensuring reasonable security practices are in place. Talk to an attorney to gain a full understanding of changes you’ll need to make. You can also consult the CCPA itself, or read guidelines which will be published by the IRS, NIST, and California Attorney General’s Office at an unannounced time in the near-future.
What else can I do to protect my accounting firm from data breaches?
One of the easiest and most crucial things you can do to protect your firm from hacks and fines is investing in a secure practice management software. If your firm is still trading client data via regular email, the situation is essentially a disaster waiting to happen. Instead, you should exchange private data via an encrypted client portal for accounting firms, which makes data much harder to access and provides many other benefits as well.
Protect Your Accounting Firm with ImagineTime
Even if an employee uses a weak password (like “password”) and a hacker (unsurprisingly) gains access to your client data, under the CCPA, your firm can be held responsible. By proactively investing in secure file sharing software, you can protect your firm and ensure the safest possible environment for your clients.
ImagineTime is a practice management software built by accountants, for accountants. We are proud to offer world-class solutions to today’s practice management challenges. To learn more about our secure client portal and other services, click here.