The California Consumer Privacy Act (CCPA) takes effect January 1, 2020, which means organizations are rushing to make sure they’re in compliance before the first of the year. CCPA is at the core of California’s digital privacy legislation related to the access, deletion, and sharing of personally identifiable information (PII), and it applies to just about every organization doing business in California. Here’s what you need to know to make sure your organization is in compliance.
What is CCPA?
CCPA gives individuals in California specific rights related to the collection, storage, sale, and removal of personal information. It’s designed to protect consumers in the event of a data breach by giving them greater control over their personal information.
CCPA grants Californian consumers the right to:
- Know what personal information is being collected, shared, or sold
- Delete personal information held by a business or those acting on its behalf
- Opt out of the sale of personal information
- Non-discrimination in terms of price or service when exercising a privacy right under the act
Under the CCPA, organizations must ensure that personal data is gathered legally and under strict conditions, and those who collect and manage it are required to protect it from misuse and exploitation or face stiff penalties.
The law provides an extensive, non-exclusive list of types of data that are considered personal, including:
- Name & address
- IP addresses
- Account names
- Social Security & credit card numbers
- License & banking information
- Browsing & search history
- Geolocation data
- Professional or employment information
CCPA has some overlap with GDPR and CASL, but there are some key differences, so you’ll want to have a plan in place to make sure they’re covered. Here are our recommendations for meeting the new requirements:
- Identify a privacy officer within the company. If you don’t have one in place already, fill this role ASAP and make them the point person for compliance.
- Audit and document all systems, internal and external, that house, interact with, and process consumer data (We’ve listed them in the next section). We actually recommend that you do this (at a minimum) 1x each year.
- Identify the types of stored information that are considered personal according to the list above, and identify and document all sales of personal data to third parties, whether by direct sale or by service agreement.
- Your business practices, both on- and off-line, regarding the collection, use, disclosure, and sale of personal information
- Language that communicates the rights of consumers regarding their own personal information
- A link for consumers to opt-out of the sale of personal data (the same link should be on your website)
- Create a process to provide and remove PII if requested by an individual.
- The request must be acknowledged within 10 days and completed within 45 days. Those time periods start the day the request is sent, not the day you see it, which is another compelling reason to identify a privacy officer ASAP.
- Once the request has been completed, the record of your response needs to be maintained for 24 months.
We highly recommend the use of a third-party system like OneTrust. Their implementation can help bring you into compliance and take the burden of managing consent and preference off your team.
Once you’ve taken the steps above, go further to ensure that your company is in a position to handle requests to provide/delete PII quickly and easily. Keep in mind that any acquired portfolio assets require the same review to ensure compliance.
- Identify the categories (data elements) of personal information collected in the past 12 months and the business purpose of the data.
- Identify the systems where personal data is housed and determine a process for removal if requested. Include:
- Google Analytics
- CMS (if your system analytics house data)
- Video host/provider (YouTube, etc)
- Advertising platforms
- Web hosting server level data
- Other third parties and systems
Don’t Tackle Compliance Alone
Understanding the full legal implications of CCPA can seem overwhelming. If you’re struggling to understand the changes or just want another set of eyes on your CCPA implementation, please reach out to us or contact your consultant directly.
We’d be happy to review your instance and help you reach compliance quickly.
The information included here does not constitute legal advice. If you have concerns about your specific situation, please consult with a lawyer.