Businesses have endured many challenges amid the COVID-19 pandemic and they have voiced their concerns loud and clear around the enforcement phase of the California Consumer Privacy Act (CCPA). However, one thing remains clear, the California Attorney General has consistently reaffirmed his intention to begin enforcing regulations under the CCPA on July 1, 2020 and CCPA is now enforceable!
Latest Privacy Obstacles for Businesses
The privacy landscape has been anything but easy for businesses in 2020. The unexpected occurrence of the COVID-19 pandemic put additional pressure on companies as they reopened and are required to perform daily health checks in the workplace. These new protocols can result in additional privacy and compliance risks for businesses that handle and store health data associated with COVID-19.
On top of creating new processes and procedures to safeguard an employee's data related to health checks, companies are already faced with potential new privacy compliance developments with the California Privacy Rights Act (CPRA), also known as the "CCPA 2.0," making the November 2020 ballot.
A new amendment to the CCPA this early leaves businesses with limited time to act if passed during the November 2020 elections, and companies are already trying to establish and finalize their current CCPA enforcement procedures to ensure they can comply by July 1st deadline.
CCPA Enforcement Strategy is Key to Compliance
Even though these obstacles can seem daunting for businesses during the pandemic and new privacy developments may arise with the proposed California Privacy Rights Act, it's important to keep in mind that regulations are fluid and are only going to evolve with time. Preparing for enforcement doesn't need to be an additional stress factor in the ever-evolving privacy landscape.
With enforcement starting today, businesses should start thinking about a CCPA enforcement strategy to ensure any critical obstacles related to enforcement are immediately addressed to comply with the CCPA.
Top 10 Tactics to Include in Your CCPA Enforcement Strategy
- Understanding & Protecting Employment Data
Employee data rights will be extended under the CCPA starting January 1, 2021, and should be top of mind for any CCPA enforcement strategy. Although the proposed CPRA might extend this deadline, businesses should include employment data in their criteria when looking for a privacy rights management solution to streamline privacy requests.
DID YOU KNOW?
According to a study performed by Dimension Data on behalf of Truyo, 62% of privacy professionals stated they would extend CCPA employee rights to all employees, including non-California residents. Download Whitepaper
- Processing & Handling Do Not Sell Requests
A do not sell my personal information link must be provided to users to opt-out of the sale of their data. Automating the processing of Do Not Sell requests can reduce or eliminate fines associated with non-compliance, and businesses should look for a solution that has a 15-day completion for Do Not Sell request.
- Verification Fallback
The right to know (Right of Access) gives consumers the right to obtain a copy of personal information about themselves as well as other supplementary information. To ensure compliance is met if the data subject can't be verified, businesses should implement an automated solution that includes an abbreviated right to know feature that takes unverified requests and returns categories of data instead of specific pieces that compromise personal information.
If a data subject (consumer) can't be verified and fails for a "delete request," an organization must automatically process the request as a Do Not Sell request or request that the data subject, ask for a Do Not Sell request. It's recommended that businesses look for a solution that can automatically create Do Not Sell requests from unverified delete requests as an option. Automating this process eliminates the need for manual intervention or additional delay while the data auditor processes the request.
Businesses have an obligation to inform consumers about the collection and use of any personal information. All notices must be conspicuous, understandable, and ADA compliant to stave off any uncertainty.
- ADA Compliance
The CCPA requires businesses to be reasonably accessible to consumers with disabilities. Notices that are provided online, a company shall follow recognized industry standards such as the Web Content Accessibility Guidelines (WCAG) version 2.1. A comprehensive privacy rights management solution should include a consumer portal that automatically includes WCAG 2.1/ADA compliance while providing users with a transparent experience when exercising their privacy rights.
- Method of Intake
Offering consumers two or more designated methods for submitting requests for information is required for compliance. Online only businesses can provide an email address, and all others must provide two ways to take requests. By default, one method must be a toll-free number to ensure compliance with a privacy portal can be made available to call-center representatives. A comprehensive, customizable, and seamless configuration for a method of intake should be a key element when looking for a solution to automate privacy requests.
- Password Accounts & Non-Account Holders (Verification)
Account-holders that have a password-protected account is sufficient verification and the preferred method for many businesses. However, you can’t require the creation of an account and non-account holders can use a transaction amount or item purchased for verification. If there is no way to verify a consumer with a high degree of certainty, the request can be rejected as long as you intake the request and state the reason in the notice. Verification is a feature in compliance that shouldn't be overlooked, which is why it's important to ensure this feature is available and has single sign on capability in a privacy rights management platform.
- Authorized Agent & Parent, Child, & Minor
The CCPA allows California consumers to use an authorized agent to submit requests on consumers' behalf. To ensure the proper CCPA compliance is met, organizations should utilize a solution with the ability to upload documents such as a Power of Attorney (POA). Any other non-POA requests should still be taken into account through alternate methods.
In addition, the privacy rights management platform should also have the ability for parents to act on behalf of the child by uploading documents and contact information to process requests.
- Timeline & Reporting
Until the new operating regulations come into effect, acknowledging request to know or request to delete should not exceed ten business days, and if businesses can't authenticate a data subject within 45-days, the request may be denied. It's imperative that companies become familiar with the timeframes that fall under the CCPA to ensure compliance.
Secure record keeping must exist in an immutable form to provide confidence, and organizations should have the ability to pull reports for auditors, including the public automatically.
Advanced reporting is critical to CCPA compliance, and a solution should include the ability to report & download the following key metrics:
- The number of requests to know that a business received, compiled within whole are in part, and denied
- The number of requests to delete that a business received, compiled within whole are in part, and denied
- The number of requests to opt-out that a business received, compiled within whole are in part, and denied
- The median number of days within which the business substantively responded to requests to know, requests to delete, and requests to opt-out
- End-to-end Automation
Managing and streamlining privacy rights requests is critical to CCPA compliance, especially when new updates are made to privacy compliance. A true-end-to-end automated solution is an essential component to ensure rapid response to privacy related requests and the ability to scale with a company’s privacy needs. Truyo is an automated solution that can adapt to new privacy regulations as they emerge in this ever-evolving privacy landscape. Designed to process large quantities of requests, this enterprise solution is the key to compliance for your CCPA Enforcement Strategy.