What is the CCPA?
Effective Jan. 1, 2020, the California Consumer Privacy Act (CCPA) is an advocacy bill passed with the sole purpose of giving California residents information and control regarding the collection and sale of their personal information. This blog will discuss what you need to consider in your CCPA compliance checklist.
The law affords all California-based consumers the right to request access to and deletion of individual information a specific company has stored in its database.
The law also allows consumers access to the categories of third-party vendors with whom their data was shared. Lastly, the state law allows the Attorney General to pursue litigation and seek punitive damages if it has discovered the company violated privacy guidelines.
Staying in compliance is extremely important—especially since the state statute outlines the Attorney General has the right to sue corporations that have violated the law.
Building a preventive plan with regular CCPA compliance checkpoints is the best way to protect your company’s reputation and good standing.
Who Does the CCPA Apply To?
Currently, the CCPA applies to all for-profit companies that conduct business in California that collect and determine the purpose and means for processing consumers’ personal information.
Along with the aforementioned, said companies must also fall within one of the following categories:
- Buys or sells the personal information of 50,000 or more individual consumers or households
- Generates more than 50% of annual revenue from selling consumers’ personal data
- Has annual revenue grossing greater than $25 million (USD)
What Types of Data Do Businesses Need to Protect Under the CCPA?
The CCPA introduces specific obligations for businesses with regards to protecting consumers’ personal information. Under the CCPA, personal information is defined as information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.
Examples of personal information include:
- Real name
- Postal address
- Unique personal identifier
- Online identifier
- Internet protocol address
- Email address
- Account name
- Social security number
- Driver’s license number
- Passport number
It is important to note that personal information does not include personal information that is publicly available.
Your CCPA Compliance Checklist
Businesses are required to enforce internal security protocols focused on protecting consumer data. Our CCPA compliance checklist includes recommended actions to help businesses working towards CCPA compliance and identifies compliance gaps in your program
Additionally, here are 6 surefire ways to stay within the boundaries of the law:
1. Know Your Data
Understanding what data is collected by your organization, where it is stored, and who has access to it is a foundational step towards CCPA compliance. Conducting a data mapping exercise can help you to create and maintain data inventories as well as a clear view into data flows across your organization meaning you can monitor compliance with the CCPA requirements.
2. Be transparent with your audience
Place a conspicuous link or include a pop-up window addressing your business’s collection of personal information, as well as a conspicuous Don’t Sell My Personal Information link or a pop-up window on your customer-facing website. This allows visitors to see you’re considering their opinions and presenting them with an option to be removed from any information sharing activities with third parties.
3. Make information requests easy and user-friendly
Businesses should have at least two methods for submitting requests. Create a secure web form, designated email address, and/or designated toll-free phone line dedicated to processing consumer requests.
4. Respond to requests in a timely fashion
California law mandates that in order to be compliant, companies must respond to all requests to access, delete, and opt consumers out of the sale of their personal data as soon as possible after receiving them.
5. Verify and govern internally
Create a verification process to address incoming customer requests to know and to delete. This may include a series of questions related to data in your system. As a responsible business, you DO have the right to deny a request if consumers fail to satisfactorily identify themselves or verify their right to access information on behalf of someone. It’s required to keep these denials on file with a detailed description of the reason for the denial.
6. Protect the information of minors
Implement a parental consent documentation process to explicitly grant parents and guardians access to their children’s information.
Additional Considerations for CCPA Compliance
If one of your internal compliance checks reveals you’re out of compliance, follow your company’s contingency plan for data storage protocol breaches.
If an audit or regulatory committee discovers there’s been a compliance issue or data has been compromised, your organization has a 30-day cure period to cooperate with the law associated with the violation.
Because one of the biggest obstacles businesses face when it comes to CCPA preparedness is a lack of time and bandwidth, as well as the complexity of the law, we created a 5 Step CCPA Compliance Checklist. This checklist includes recommended actions to help businesses working towards CCPA compliance.
How Does OneTrust Help With CCPA Compliance?
OneTrust helps organizations of all sizes simplify time to CCPA compliance with a purpose-built suite of technology solutions and professional services. With OneTrust, your organization can pinpoint where personal data resides and how it is used, streamline your ability to manage and respond to consumer rights, and opt-out or Do Not Sell requests.