Signed into law on June 28, 2018, the California Consumer Privacy Act (CCPA) will become effective on January 1, 2020.
This legislation strengthens privacy rights and consumer protection for residents of California. It applies to any business that provides goods or services to California consumers.
You may already have data protection steps in place in response to the EU's General Data Protection Regulation (GDPR), implemented on May 25, 2018.
Moving forward, is your business prepared to meet all requirements outlined under the CCPA? Or, are you still wondering, "What is CCPA?"
Today, we're sharing a roadmap to help your company reach compliance with this new measure before it rolls out.
Ready to learn more? Let's go!
What is CCPA?
In short, the CCPA is a set of broad policy requirements designed to protect consumer data rights in the state of California.
Heralded by some as the beginning of our country's GDPR, the CCPA requires organizations to become transparent on how they collect, share and use consumer information.
Though there are myriad subsections to the law, companies that serve or employ California residents may find that five pillars have the biggest impact on their current operations. These include CCPA requirements to:
- Map in-scope personal data and instances of selling such data
- Protect individual rights to data access and erasure
- Protect individual rights to opt-out of data selling
- Update service-level agreements with all third-party data processors
- Identify and remediate gaps and vulnerabilities in information systems
Even if your organization is already meeting GDPR requirements, you may require the entire grace period to get your operations up to speed with the CCPA before 2020.
That said, let's review a simple roadmap that can help you streamline your endeavors. One way to make these steps simpler to complete is to invest in a privacy rights platform that helps you automate and organize such activities.
Your CCPA Readiness Roadmap
In the technology sphere and beyond, companies will need to take a closer look at their data handling practices ahead of the CCPA's official 2020 implementation. Here are 10 steps to apply that can help you prepare for the required changes.
1. Determine Application
First, determine whether or not the CCPA applies to any part of your organization.
The law applies to any business worldwide that receives personal information from California residents either directly or indirectly. This also extends to any business entity you control or that controls you.
In addition, your company must meet one or more of the following criteria:
- Make an annual revenue of more than $25 million (USD)
- Receive personal data from at least 50,000 California residents, devices or households per year
- Obtain 50% or more of your annual revenue from the sale of personal information about California residents
Note that even if you don't think these measures apply to your company, it's still important to read the entire law, as the definitions of "personal information" and "sale" are expansive.
2. Conduct a Gap Analysis
If you determine that the CCPA does apply to your company, your next step is to identify and analyze any gaps that exist between your current rights management policies and the ones you'll need to enact to fulfill these new requirements.
3. Review Specific Processes and Activities
Next, understand the specific business processes and activities the law entails, paying close attention to the requirements that involve minors. For example, the CCPA mandates that minors under the age of 13 must have a guardian opt into the sale of their personal information.
4. Map Your Data Use
You can't know which next steps to take if you don't have a clear and transparent view of how your organization currently uses the data it collects. If you don't have them, create in-scope data flow maps that detail how you collect, sale and disclose personal information.
If you already have such maps in place, update them with the new steps required under the CCPA.
5. Understand Individual Rights
Your organization may include various processes or activities to which CCPA individual rights apply. These specific rights include:
Individuals may request that you disclose details around the personal information you collect about them, including:
- Specific data elements
- Categories of personal information
- Categories of sources
- The purpose of collecting or selling the data
- Categories of recipients who receive the data
If you provide details of these data elements to a requestor via electronic means, you must send the information in a readily transferable electronic format.
Consumers may request that your company delete their personal information.
Consumers may request that your company provide an account of the disclosures it provides to third parties concerning the sale of personal data.
Opt-Out or Opt-In
Consumers can opt-out of the sale of their personal information via a "Do Not Sell My Information" button required on all homepages.
In the case of minors, instead of a general opt-out, companies must require opt-in consent from persons aged 13 to 16. Guardians must provide such consent for persons under the age of 13.
6. Financial Incentives
As you outline your compliance steps, determine whether or not your organization will offer financial incentives in exchange for consumer information.
The CCPA permits businesses to offer reasonable incentives to consumers, including payments, as compensation for the collection, sale, or deletion of their personal information, as long as:
- The incentive is not unjust, unreasonable, coercive or usurious
- The company notifies consumers about the incentives
- Obtains opt-in consent before enrolling a consumer in such a program
- Gives consumers the chance to revoke consent and participation at any time
7. Update Rights Management Procedures
With the preparation stage behind you, you're ready to put the actual policies to work. Update your individual rights management procedures to meet CCPA requirements.
8. Update Privacy Policies
Take a closer look at your company's existing privacy policies. Make sure they include all disclosures required under the CCPA.
9. Update Contracts
Does your company have contracts in place with third-party vendors to which you share the personal data you collect? If so, update this documentation to include all CCPA provisions.
10. Develop Processes for Subject Access Requests
Your organization should have defined processes in place for handling the Subject Access Requests (SARs) it receives from consumers. If you already have SAR policies in place in response to the GDPR, learn how to update these to meet CCPA requirements.
Understanding CCPA and Its Implications
The CCPA will help companies with a California footprint be as transparent as possible with the way they handle and disclose consumer information. It will also pave the way for other statewide legislation to provide similar data rights and privacy protection.
It isn't meant to be a burden, though its requirements can be a challenge to meet. This is especially true for the unprepared, or anyone still asking, "What is CCPA?"
Need help with your CCPA readiness roadmap? We'd love to simplify the process.
Request a demo of our privacy rights platform to learn how we can help you automate, organize and update your procedures to help meet compliance requirements under the GDPR, CCPA, and future laws, one step at a time. Here are three questions you should ask when developing your individual rights management solution.