Cali consumer privacy protection act (CCPA)

The California Consumer Privacy Act (CCPA) takes effect January 1, 2020, which means organizations are rushing to make sure they’re in compliance before the first of the year. CCPA is at the core of California’s digital privacy legislation related to the access, deletion, and sharing of personally identifiable information (PII), and it applies to just about every organization doing business in California. Here’s what you need to know to make sure your organization is in compliance.

What is CCPA?

CCPA gives individuals in California specific rights related to the collection, storage, sale, and removal of personal information. It’s designed to protect consumers in the event of a data breach by giving them greater control over their personal information.

CCPA grants Californian consumers the right to:

  • Know what personal information is being collected, shared, or sold
  • Delete personal information held by a business or those acting on its behalf
  • Opt out of the sale of personal information
  • Non-discrimination in terms of price or service when exercising a privacy right under the act

Under the CCPA, organizations must ensure that personal data is gathered legally and under strict conditions, and those who collect and manage it are required to protect it from misuse and exploitation or face stiff penalties. 

The law provides an extensive, non-exclusive list of types of data that are considered personal, including: 

  • Name & address
  • Photos
  • IP addresses 
  • Account names
  • Social Security & credit card numbers
  • License & banking information
  • Browsing & search history
  • Geolocation data
  • Professional or employment information

Compliance Recommendations

CCPA has some overlap with GDPR and CASL, but there are some key differences, so you’ll want to have a plan in place to make sure they’re covered. Here are our recommendations for meeting the new requirements:

  • Identify a privacy officer within the company. If you don’t have one in place already, fill this role ASAP and make them the point person for compliance.
  • Audit and document all systems, internal and external, that house, interact with, and process consumer data (We’ve listed them in the next section). We actually recommend that you do this (at a minimum) 1x each year. 
  • Identify the types of stored information that are considered personal according to the list above, and identify and document all sales of personal data to third parties, whether by direct sale or by service agreement.
  • Look at your privacy policy. Does it include:
    • Your business practices, both on- and off-line, regarding the collection, use, disclosure, and sale of personal information
    • Language that communicates the rights of consumers regarding their own personal information
    • Language specific to the use of cookies and tracking of consumer data
    • A link for consumers to opt-out of the sale of personal data (the same link should be on your website)
  • Include the privacy policy, unsubscribe, and “right to be forgotten” links in all commercial messaging, and update your website and mobile apps with a “Do not sell my personal information” link.
  • Create a process to provide and remove PII if requested by an individual.
    • The request must be acknowledged within 10 days and completed within 45 days. Those time periods start the day the request is sent, not the day you see it, which is another compelling reason to identify a privacy officer ASAP. 
    • Once the request has been completed, the record of your response needs to be maintained for 24 months

We highly recommend the use of a third-party system like OneTrust. Their implementation can help bring you into compliance and take the burden of managing consent and preference off your team.

Further Considerations

Once you’ve taken the steps above, go further to ensure that your company is in a position to handle requests to provide/delete PII quickly and easily. Keep in mind that any acquired portfolio assets require the same review to ensure compliance. 

  • Communicate the rights provided by CCPA to consumers, and alert them to your updated privacy policy.
  • Identify the categories (data elements) of personal information collected in the past 12 months and the business purpose of the data.
  • Identify the systems where personal data is housed and determine a process for removal if requested. Include:
    • Google Analytics
    • Marketo
    • Salesforce
    • CMS (if your system analytics house data)
    • Video host/provider (YouTube, etc)
    • Advertising platforms
    • Web hosting server level data 
    • Other third parties and systems
  • Create a process and mechanism for users to make requests. Whether they want to request their information, opt-out of sale of information, or have their personal data deleted, include specific language and a link for each option within the privacy policy. We recommend that you designate a toll-free phone number for users in case they’re unable to access the forms. 
  • Review your privacy policy periodically – we recommend annually at minimum – to update the language on the collection, usage, and sharing of PII. Make sure you regularly update your list of the systems that house data for internal documentation.

Don’t Tackle Compliance Alone

Understanding the full legal implications of CCPA can seem overwhelming. If you’re struggling to understand the changes or just want another set of eyes on your CCPA implementation, please reach out to us or contact your consultant directly. 

We’d be happy to review your instance and help you reach compliance quickly. 

Legal Disclaimer
The information included here does not constitute legal advice. If you have concerns about your specific situation, please consult with a lawyer.