In our previous blog post on the California Consumer Privacy Act (CCPA), we compared this new data protection law to the European Union’s General Data Protection Regulation (GDPR).
In this final installment of our CCPA series, we will look at creating a compliance checklist to prepare for January 1, 2020, the CCPA effective date.
For a summary of the CCPA, its requirements, and what data is defined as “personal information” (and what is not covered), check out our first blog post in the series California Consumer Privacy Act of 2018 – A New Consumer Privacy Law You Need to Know.
As we saw in our comparison of the CCPA and GDPR, there are some areas where these two do overlap. However, being GDPR compliant does not ensure full compliance with the CCPA.
What should companies be doing now to prepare?
- Determine if your company is required to comply with the CCPA.
- Directly: For-profit established in California that collects data on California residents as a Controller (i.e., determines the purpose and means of processing the data) and the company
- Has annual gross revenues in excess of $25,000,000, OR
- Annually buys or sells the personal information of 50,000 or more consumers, households, or devices in California, OR
- Derives 50% or more of annual revenues from selling consumers’ personal information.
- Indirectly: A parent or a subsidiary of a company that shares branding with a company that qualifies directly under the CCPA
- Companies that qualify indirectly do not have to be established in California, be for-profit, or sell personal information.
- Not all consumer personal information is covered by the CCPA. If you are not certain about the status of your company, contact your Legal department.
- Directly: For-profit established in California that collects data on California residents as a Controller (i.e., determines the purpose and means of processing the data) and the company
- Designate a team to manage your organization’s efforts.
- The team should include stakeholders from Legal, as well as those who know and understand current data systems and processes.
- Create a thorough data inventory and mapping, as well as a data management plan, for all personal consumer data from the last 12 months. Include all data that is
- Captured
- Sold
- Transferred
- Purchased from a third party.
- There are automated data discovery software tools which can scan your domains to locate personal consumer data.
- Update your company’s Privacy Policy and Notices to include information on
- Personal information sold or shared by the company
- Right to Know
- Right to Be Forgotten
- Right to Opt Out of Sale to Third Parties
- Include your “Do Not Sell My Personal Information” page link
- Test and confirm that your systems and processes for collecting, transmitting, processing, or storing in-scope consumer personal information can support required activities.
- Verification of customer requests
- Ability to respond to all customer requests within 45 days
- Submit a request for information disclosure
- Track the number of requests by a consumer in a 12 month period
- Provide a version of the requested data in a user-friendly CCPA-defined format
- Submit a request for deletion
- Ability to delete personal information in 45 days
- Submit an opt-out request for the selling of information
- Ability to enforce an opt-out for selling for a 12 month period
- Submit an opt-in request for those under the age of 16
- Enforce not selling data of those under the age of 16 without an opt-in
- All personal data is secured during collection, transmission, processing, or storing
- Documentation and audit trails of all actions.
- If systems cannot support these activities, they must be remediated before January 1, 2020.
- Update your company’s website to include
- Company’s Privacy Policy
- A toll free phone number for information requests
- A “Do Not Sell My Personal Information” link and request form
- An “Information Disclosure” request form
- A “Right to Be Forgotten (Deletion)” request form
- At the points of personal information capture, a notification that information may be sold, if applicable.
- You may create a new section of the website to house CCPA-specific information and functionality for California residents, if needed
- Create and document processes for responding to customer requests for personal information disclosure, deletion, and not sell to third parties.
- Update any Service Level Agreements (SLAs) with 3rd parties that purchase and/or process consumer personal data and ensure that they are CCPA compliant.
- Create a privacy awareness training plan for employees and complete the first round of training prior to January 1, 2020
- As noted in the law, companies must ensure that those responsible for the handling of consumer inquiries in relation to the company’s privacy practices or legal compliance, including opt-out and deletion, are trained in (1) the related sections of the CCPA and (2) how to help consumers exercise their rights for requests
- The best training program to put in place is one that is not a “one and done”, but a continuous plan that provides short bursts of training, remedial training options, and is part of a larger Security and Privacy Awareness and Compliance training focus for the company.
What Can You Do?
Privacy and data protection are bigger than the CCPA. Organizations need to be prepared to protect all data, no matter its source or location. If you want to know more about what you can do to create a positive Cybersecurity Culture, contact GLS today.
The upcoming National Cybersecurity Awareness Month is a terrific opportunity to launch a new initiative to socialize cybersecurity as everyone’s responsibility. Request our NCAM kit to get a variety of resources that enforce this year’s theme: Own IT. Secure IT. Protect IT.