Your CCPA Compliance Checklist: Six Essential Steps
If you’re still a little unsure about how to comply with California’s new privacy law, fear not. We’ve got your checklist right here to help you avoid those CCPA fines.
The California Consumer Privacy Act (CCPA), which passed last year after pressure from consumer advocacy groups, sends a clear message to companies conducting business in the State of California: California consumers really do care about their privacy.But first, what does the CCPA say, exactly?
The CCPA (full text here) gives consumers the ability to know what information is being collected from them, the ability to opt out of that information collection (and ask companies to delete what information has been collected) and the ability to forbid companies from selling their information to a third party. This legislation is similar in several ways to the European Union’s General Data Protection Regulation (GDPR), says Helen Streck, CEO of Kaizen Infosource. California companies who are already working on GDPR compliance will therefore have a head start complying with the CCPA. But there are differences as well, Streck says.CCPA vs. GDPR: What’s the Difference?
One difference is the smaller size of the fines and damages: the CCPA limits damages for exposed individuals to between $100 and $750 per incident, and regulators can levy fines of $7500 per violation. Streck notes that a more important difference between the CCPA and GDPR is that under the CCPA, third party businesses who receive personal information about a California resident must notify California consumers before selling their data. Furthermore, she cautions, not every California business is subject to the CCPA. “It applies in three situations,” she says: “If a company makes 50 percent of your annual revenue from selling personal data, or you’re a private company with $25 million in gross revenue, or you annually buy and sell information of 50,000-plus California residents, households or devices.” However, if your business does fall into one of those categories, the deadline for compliance with CCPA is January 1, 2020, and as every records manager knows, that’s not as much time as you might think. So we’ve put together a checklist to help you think about how best to proceed.Your CCPA Compliance Checklist: Six Essential Steps
Designate a Team to Spearhead Process Development
Although Streck won’t go as far as saying you should create an entire team to direct CCPA compliance efforts, she will say that it’s more likely that your business will meet the 2020 deadline with a team, versus an individual.
What you need on this team is a mixture of legal expertise (i.e. an attorney) and process expertise. “If you’re a legal expert with no process experience you can say ‘classify your data,’ but you need a process person who actually knows what that means,” Streck says.
Update Your Privacy Notices and Policies
Your company must provide notice to California consumers about what information you are collecting or disclosing to other entities before you start collecting it, as Streck noted. Specifically, you must tell consumers what categories of information you’re collecting—i.e. physical addresses, financial information, and even sleep habits—and if it isn’t listed in your privacy policy, you can’t collect it.
You must also inform California consumers if you’re selling this information to another party—and what categories of information you’re selling, as well as who you’re selling it to. Furthermore, you need to add a link on your website that clearly allows users to opt out of having their information sold.
Create and Maintain an Inventory of Record Data
Now, the hard part. You can’t just collect data—you need to categorize it appropriately, advice Streck has been giving to her records management clients for years, but which has taken on a new urgency. “If you don’t classify this data, deleting it upon request is almost impossible, as is complying with other regulatory obligations for recordkeeping,” she says.
Some considerations while you create the records of this data include:
- Whether the data being categorized has been sold (as “sold” is defined by the CCPA)
- Whether the data has been transferred to another party
- Whether the data was collected more than 12 months ago and is therefore exempt from the CCPA
- Whether the data is covered by federal privacy legislation like HIPAA
- Whether the data was purchased from another party
Map Data Relationships
If your company shares data with one or more third parties, you need to be aware of and document the exact relationship. Is the information being sold, or merely disclosed? Is it just certain categories of a consumer’s information that’s being sold? And to whom?
Create Processes for Data Access and Deletion
The CCPA gives consumers the right to access the information collected from them; this access must be given within 45 days. The same goes for requests from consumers to delete their information from your system—which they can do while also still allowing you to collect data from them.
You’ll need to not only create a system to document these requests, but also implement authentication processes to verify that they are coming from the consumer whose data you have. You will also need to decide what the official source of these data sets will be, if the data is being stored in various iterations.
And don’t forget to train customer service reps on how to respond to these requests.
Think About Data and Privacy From the Very Beginning
Streck has seen plenty of companies end up with nightmarishly cluttered databases despite creating data collection processes. The problem, she says, is that the creators of the processes simply don’t think about the total lifecycle of the data, from collection to eventual deletion. Embedding these principles in all areas of your business will save you from a lot of headaches down the line.