Are You Ready For CCPA? —A Compliance Checklist
The California Consumer Privacy Act (CCPA) has taken effect. On January 1, 2020 more than half a million US-based companies were made subject to the California law meant to give consumers more control over their personal information.
Despite the quickly approaching deadline, a sizable number of companies are not close to being in compliance with the law. According to a survey conducted by the International Association of Privacy Professionals(IAPP), only 26 percent of organizations said that they were “fully prepared” for CCPA. On a somewhat optimistic note, however, 80 percent of companies said that they expected to be fully compliant by the law’s enforcement date of July 1, 2020.
CCPA has roughly three major components:
- Defining ownership of personal information.
- Giving consumers the right to control the sale and dissemination of their personal information.
- Mandating that corporations protect consumer data and be held accountable for security breaches.
CCPA, also known as AB 375, is a complex law, and it may be hard to conceptualize what your organization needs to do to be in compliance. We’ve broken down into simple steps, grouped by the law’s three major components.
Check out our CCPA compliance checklist:
Under the law, California consumers have a right to know what data is being collected about them, and why, by a business in the preceding 12 months. In addition, consumers have a right to know if their personal data is being sold, and to whom.
- Data audit and mapping – One could argue that the first step in coming into compliance is mapping out and identifying where private consumer data originates, where it is stored, and where it goes (if it is sold to a third party). Conducting this exercise can also help you draft more accurate consumer privacy notices.
- Data collection justification – As you are uncovering sources of personal consumer information, now is the time to understand why you are collecting this data in the first place. Does it serve an actual business purpose? If a consumer asks, you need to be able to answer this question. This is also an opportunity to develop a more targeted and intentional data collection program.
- Contact methods – The mysterious contact methods employed by many tech companies won’t fly under AB 375. The law states that companies must have at least two avenues for consumers to submit information requests, one of which must be a toll-free number. If the company has a website, then it must also have an internet-based contact method. In the case of the latter method, it may be wise to develop a self-service portal that can verify consumer identity and easily lead a consumer through the information request process.
- Employee training – It’s important that all employees — especially those who deal directly with customers — understand the rights of California residents under CCPA. Technology and data collection can sometimes feel anonymous, but it’s important to remember that each piece of information you collect belongs to a person.
California residents will have the right to say no to the sale of their personal information. In addition, companies cannot discriminate against consumers who have exercised this right by charging them more, providing reduced service, or refusing service altogether.
- Opt-out tool – AB 375 states that companies must “Provide a clear and conspicuous link on the business’ Internet homepage, titled ‘Do Not Sell My Personal Information’” that allows a consumer to opt out of the sale of private data. This tool should be very easy to use, and companies cannot require individuals to create an account in order to access the opt-out link.
- Notification system – Complying with CCPA will be an ongoing process, as it involves data that was collected in the previous 12 months. If at any point your company changes how or to whom personal data is sold, you will need to notify consumers and direct them to the opt-out tool. Developing an automated notification system will help you stay in compliance.
- Data valuation – Although companies cannot discriminate against customers who opt out, they can provide financial incentives for consumers who consent to have their data sold. The catch is that these incentives must be “directly related to the value provided to the consumer by the consumer’s data.” In other words, you must be able to prove that your data collection practices are necessary to provide a customer with the most effective service. So if you are considering offering different levels of service, you need to put a price on the value of data.
After the proliferation of consumer data breaches in recent years, it’s no surprise that a major component of CCPA involves consumer data security and protection. According to the law, a business must maintain reasonable security measures and practices to protect consumer data. If businesses do not safeguard private information, they can be subject to fines from the state and/or lawsuits directly from individuals.
- Data security audit – Along with the data mapping exercise we discussed earlier, you should also look for risks and vulnerabilities that could compromise private information. In addition, you should review who (internal and external resources) has access to private data and regularly modify permissions when necessary.
- Data breach notification process – No company wants to be involved with a data breach, but everyone should have a plan in the event that it happens. You should have a process to notify consumers of a breach, what information was compromised, and what you are doing to mitigate the problem.
- Partner and vendor alignment – Confirm that vendors, integration partners, and any third party with access to consumer data are also in compliance with CCPA. This may require new contracts and/or updates to SLAs.
A note on GDPR
Many businesses that will be affected CCPA are already in compliance with the European Union’s General Privacy Data Regulation (GDPR). While both laws are sweeping and provide consumers with a broad set of rights, they are not identical and being in compliance with one does not necessarily mean being in compliance with the other.
Some notable differences include:
- Data processing (GDPR) versus data collection (CCPA).
- GDPR’s focus on a person’s data, while CCPA also includes households and devices.
- CCPA’s right to opt out of the sale of personal data is absolute, while GDPR’s “right to object” can be overridden in certain circumstances.
Looking to shore up your compliance measures?
TechSafe is committed to providing highly performant, air-tight data infrastructure tools, data mapping, and concise documentation to help your organization with technical compliance.