Get Started CCPA
Try Free
Get Started CCPA
What Is the CCPA?
The CCPA is the most comprehensive privacy law in the United States to date and is designed to give Californians more control over their personal information.
Major new data protections the CCPA introduces include:
Right to access information – Consumers in California will be able to know the “what, who, and why” surrounding their personal information. Specifically, they can request the following, which must be provided in a portable format:
- Which categories of personal information were collected, shared, or sold?
- Categories of sources from which this personal information was collected, with whom it was shared, and to whom it was sold to
- The specific pieces of personal information it has collected about that consumer
- Why the personal information was collected?
Right to deletion – Consumers in California will be able to request that a company delete the personal information it has collected about them.
Right to opt out – Consumers in California will be able to direct a company to not sell their personal information to third parties. It’s also important to note that the definition of “sell” in the bill is broader than simply monetary exchange.
Although it was passed in June 2018, the CCPA will go into effect on January 1, 2020. As a result, companies can expect the California Attorney General to clarify the requirements of the CCPA and expect the California legislature to amend the law. The CCPA has already been amended to include, for example, a grace period for businesses in which the Attorney General cannot bring an enforcement action until six months after final regulations have been published, or July 1, 2020, whichever is sooner. Please note that this grace period does not apply to the private right of action consumers can bring under the CCPA. There are also several other amendments still pending in the California legislature.
Quick Implementation Guide in 6 Steps
STEP1 - Check if your organization needs CCPA compliance
The CCPA applies to for-profit businesses operating in California that collect personal information of California consumers for which any of the following are true:
- Annual gross revenues over $25M
- Annually buys, receives, sells, or shares personal information of over 50,000 California consumers, households, or devices
- Derives at least 50% of annual revenue from selling California consumers’ personal information
STEP2 – Form Privacy Team in the Enterprise
Often privacy is thought as legal solution, but it is not. The entire organization teams must come together to understand the current data assets and how they are used and the impact to business going forward.
Training and managing change are key, continuous process improvements and assessments are the right approach for reducing risk
The key is to consider and ensure that data processing service provider agreements are compliant with CCPA regulation
STEP3 – Data Discovery (Personal Information)
Discover data elements which are collected from California consumers and the purposes in which data has been used
The scope of “personal information” under the CCPA is broad and includes any information that “identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household,”.
STEP4 – Update Policy & Publish Consumer Content
Revise website home page, customer notices, privacy policy.
Website should have provided a clear link for consumers to Opt out of sale” along with privacy policy update
Clear instructions in website or other communication means for consumers to exercise their rights
Business should be able to disclose personal information collected or sold in past 12 months preceding consumers as part of exercising “Right to know” request
Reconciliation process delete data request with need to preserve in case of evidence in litigation (legal hold)
Exception process to be documented for Right to delete requests
Right to optin for minors, business is prohibited from selling personal information of customers aged below 16
Right to Provide consumers equal service and price
STEP5 – Business Process Updates, Documentation & Training
Identify team and business process with which the right to know information is adhered with in 45 days of time
Information needs to be in portable format for consumers to easily transfer to other entities
Disclosure of at least 2 touch points for consumers such as Toll-free number or website and identify individuals responsible about consumer requests
The disclosure should include
- Categories of personal information business collected
- Categories of sources from which personal information is collected
- Business or commercial purpose for collecting or selling personal information
- Categories of third parties with which the information id disclosed
- Categories of personal information sold in last 12 months preceding consumer verifiable request
Training to be provided for employees on CCPA’s prescribed consumer rights.
Create and maintain comprehensive breach response plan
STEP6 – Third party service providers agreements, CCPA compliant
Review third party agreements, to ensure that contract limits the service provider uses personal information as prescribed in CCPA regulation.
CCPA defines “Business Purpose” as use of personal information for third party operational purposes or other notified only
Without CCPA compliant agreement with third party provider, the disclosure of personal information will lead to an Optout right for consumer.