The General Data Protection Regulation (GDPR) wasn't the only consumer privacy bill signed into law in 2018.
That same year, Governor Jerry Brown signed the California Consumer Privacy Act (CCPA) into action, setting an effective date of January 1, 2020.
Like the GDPR, the CCPA aims to protect privacy rights and consumer protection. It's designated to help residents of California control how businesses get and share their personal information.
Even if your company doesn't have a physical location in this state, the CCPA could still apply to you. Today, we're sharing eight steps you can take to help you become compliant with all of its measures.
Ready to learn more? Let's get started!
1. Know How the CCPA Affects Your Organization
The CCPA protects any natural person who is a California resident. As opposed to a "legal person" which could encompass private businesses or public governments, a "natural person" is an individual human being.
The law mandates that California consumers have a right to know what personal information companies are collecting on them, and how they plan to use that data. In addition, they must be able to opt-out of that information being sold and can receive a copy of their personal information upon request.
If they fall victim to an information breach, these residents can also sue for damages.
Who must comply with these regulations? Any for-profit organization that meets any of the following criteria:
- Collects the personal information of consumers
- Conducts any form of business in California (including e-commerce)
In addition, the CCPA covers any organization that meets at least one of the following metrics each year:
- Gross revenue of $25 million or more
- Collects personal data for 50,000 or more consumers, devices, or households
- Obtains half of its yearly revenue by selling personal data
Your first step is to understand if and how the law affects you. The only exception made is for information subject to the Gramm-Leach-Bliley Act (GLBA).
Financial institutions should keep in mind, however, that the CCPA is much broader than the GLBA. There will be types of personal information not covered by the GLBA, such as data obtained through webpage tracking, which will now fall under CCPA protection.
2. Map Consumer Data
Once you confirm that the CCPA applies to your organization, your next step is to begin mapping the customer data you collect.
Start by gathering answers to the following questions in writing:
- What personal data do you currently collect?
- What are your methods for data collection?
- Where and how do you store this data?
- Do you share the data you collect? If so, with whom?
- Do you sell the data, provide in exchange for a service, or used for a different purpose?
Understand that beginning on January 1, 2020, California consumers may ask how your company collects and uses their personal information. You should be able to respond to these types of questions as they arise.
Remember to also obtain this same information from any third-party vendors that hold personal data on your behalf. They may need to perform this same data-mapping exercise and inform you of the results.
3. Fine-Tune Your Privacy Disclosures
As soon as the GDPR went into effect, companies around the world began including a comprehensive privacy disclosure on their website, informing all virtual visitors about their data collection procedures.
The CCPA will require similar actions. If you're under its jurisdiction, you must provide a disclosure "at or before" the point of data collection. Specific points to mention include things like:
- The categories of personal information your organization collects
- Any specific pieces of information collected
- Where you gather that personal information from
- The types of third parties you share the information with
- The purposes for which you will use the information
Post your disclosure in a public location, commit to updating it every year, and be ready to provide more details on it upon customer request.
4. Allow Customers to Opt Out
In addition to posting your public privacy disclosure, you should also give consumers the opportunity to make sure your company doesn't sell their personal information.
Do so by creating a privacy link on your home page that's clearly titled "Do Not Sell My Information." Visitors can press on the link and go to a different landing page, where they can request to be exempt from this process.
As this link must be visible by January 1, 2020, it's wise to go ahead and initiate the IT change management request for your website now. This may help ensure the link is live and bug-free by the required deadline.
5. Decide How to Handle Customer Requests
Your organization should be able to field and respond to customer requests about how it uses personal data. You can't do so unless you have a step-by-step process in place that dictates how your teams will handle these inquiries.
The CCPA states you need to provide your answers within 45 days, free of charge. Work with your in-house personnel to decide how you will provide these types of services:
- Provide consumers copies of their personal information
- Delete the personal information of customers who request such action
- Explain what categories of personal information your company sells
- Opt-out customers 16 years old and over from the sale of personal data
- Opt-in customers between 13 and 16 for sale of their personal data
- Get guardian consent to sell personal data of consumers under 13 years old
Make sure you read the CCPA guidelines to understand your legal obligations under each of these tasks, paying close attention to the listed age requirements.
6. Update Your Software and Systems
It's likely that meeting the requirements under the CCPA will require your organization to make updates to its software and computer systems. As such internal updates can take months to complete and implement, a best practice would be to go ahead and issue all required IT change requests now.
The same applies to recording new procedures. Write them down and store them in a shared, accessible location as soon as possible so all team members are up to speed when January rolls around.
7. Train Your Teams
It's important to write down all of the new steps required under the CCPA. Yet, in addition to recording them, you should also make sure your teams, especially those in public-facing roles, know how to respond.
Hold employee training sessions that cover the following key points of the new regulation:
- What CCPA coverage entails, and how your organization fits into it
- Whether the law applies to your entire footprint or only California customers
- How the CCPA defines a consumer (as a resident of California)
- How to direct or process customer inquiries about their personal data
Make sure this training occurs before January 1, 2020.
8. Protect Against Data Breaches
As stated, California consumers can take legal action if a data breach occurs at your company as a result of your inability to maintain security procedures and practices. This can create a devastating blow to your finances, as well as your reputation.
As such, it's important to strengthen your data security measures. Review your current strategies in place and brainstorm ways to further safeguard personal data to mitigate this risk. If you don't have a robust privacy rights management platform in place, now is the time to invest in one.
Prepare Now for CCPA Changes
Though we are still months away from official CCPA implementation, future-focused companies should begin preparations now.
With so many fine-print details to remember, it can be difficult to keep up with the organizational processes your company should enact.
Our platform makes it simple to automate and streamline all of your individual rights compliance requirements, including CCPA, GDPR, and others. Request a demo today to learn more about how it works. We'll help you prepare for tomorrow, starting today.