The California Consumer Privacy Act (CCPA) will take effect on January 1, 2020. At first glance, this may appear to give your organization some time to prepare. However, the law, which provides California residents with several rights, including the right to request access to their personal information, has a “look back” requirement. Indeed, when a consumer makes a verifiable request for access to their personal information, organizations are required to provide records covering the 12-month period preceding the date of the request. This means that your organization should already be maintaining accurate records of consumers’ personal information starting from January 1, 2019.
New rights for consumers under the CCPA:
- Right to request information
- The right consumers have to request information can be triggered in two cases: (i) if a business collects personal information about consumers, and (ii) if a business sells or discloses personal information about consumers. Businesses must disclose and deliver the required information within 45 days of receipt of a verifiable consumer request.
- Right to opt-out of the sale of personal information
- If a consumer has exercised their right to opt-out of the sale of their personal information, the business is prohibited from selling that consumer’s personal information from that point forward unless it subsequently receives express authorization from the consumer for the sale. The business must wait 12 months minimum from the date the consumer opted-out before it can request the consumer to authorize the sale.
- Right of deletion
- The business must delete from its records a consumer’s personal information after receiving a verifiable consumer request to do so and it must direct service providers it has shared it with to do the same.
In addition, businesses have separate obligations to disclose to consumers the right they have to ask for deletion of their personal information, if the business sells personal information, the fact that it does and that consumers have a right to opt out of the sale of their personal information, and, at or before the point of collection of personal information, the categories of personal information to be collected and the purposes for the use.
What does this mean for your organization?
Companies will need to start preparing as early as possible to be ready to respond to the look back requirement and the new rights given to consumers. This means understanding where all personal information about consumers reside and where it flows within the organization, creating mechanisms to enable consumers to make those requests, training and potentially hiring new resources to respond to requests from consumers, updating their privacy policies to comply with the newly introduced information disclosure requirements, implementing new and structural processes internally to handle those requests, and more.
How OneTrust helps:
With OneTrust, your organization can take a holistic approach to CCPA compliance by leveraging a comprehensive suite of tools, each offering CCPA-specific functionality. By leveraging internal governance tools as well as consumer-facing tools, your organization can pinpoint where personal data resides and how it is used; streamline your ability to act when consumers exercise their rights to information and deletion; and manage opt outs relating to the sale of personal information. With OneTrust Data Inventory and Mapping you can map CCPA dataflows for California consumer data flows to meet the CCPA look back requirement. The OneTrust platform directly addresses CCPA requirements and sets organizations on the right trajectory for supporting a global privacy program.
Are you ready for the CCPA? Understand your readiness and get the best combination of technology, professional services, research, and community events with OneTrust’s Resources: