January 7, 2020 Faith Kubicki
This is Part Two of a two-part series. To review the California Consumer Privacy Act and what it means for your business, please see Part One.
CCPA compliance is projected to be one of the largest – and most costly – security considerations of 2020. According to PwC, more than 40 percent of CIOs at companies with at least $1 billion in revenue are planning to spend over $10 million to comply with the California Consumer Privacy Act, while 20 percent planned to spend at least $100 million.
This investment isn’t just in technologies and process optimization; many companies are also planning to add employees to accommodate the expected increase in consumer inquiries. Two-thirds of companies planned to add at least ten full-time employees (or contractors) as designated resources for their CCPA compliance program. Those companies are expecting to receive at least 500 consumer inquires each day once the law goes into effect; 11 percent expect to receive more than 10,000.
Creating Your Company’s CCPA Compliance Plan
As you prepare your own organization for the impact of these new regulations, there are a few important things to keep in mind:
- The CCPA is intended to complement – not replace – existing California privacy regulations. As you focus on the California Consumer Privacy Act, you’ll still need to meet other guidelines, such as those set forth in the California Online Privacy Protection Act.
- The CCPA is often compared to the European Union’s GDPR (General Data Protection Regulation). However, being GDPR-compliant doesn’t mean that you are CCPA-compliant by default.
While you may have already addressed some of the CCPA’s requirements, you may still need to enact a few more measures to meet all of the new obligations.
As you develop new policies and procedures, you can leverage the following best practices to help you move toward CCPA compliance.
Conduct a CCPA Readiness Assessment
The first step in your compliance plan should be a thorough evaluation of your current policies and procedures through the lens of the California legislation. You’ll want to review your:
- Notices and disclosures
- Data collection and retention policies
- Internal and external access policies
- Breach notification policies
- Consent forms
In this phase, you’ll want to be as specific as possible. Once you’ve reviewed your internal privacy framework, you’ll have a better understanding of what you need to focus on to become CCPA-compliant.
Map Your Consumer Data Flows
To determine which specific actions you’ll need to take, you’ll first need to determine what kinds of data you collect; how you collect it; where you store it; and if/how you share it with other entities (such as third-party vendors or advertisers.) As you move forward, you may also wish to specify how you maintain documentation of everyone who has given you permission to collect their data, or opted out under CCPA regulations.
As you take an inventory of your data, you’ll want to consider your internal systems (such as your CRM and ERP) as well as your external systems. Vendors and third parties must also comply with the California Consumer Privacy Act, so you may also need to request the same information from key business partners (such as your marketing agency and/or cloud service provider).
Update Your Privacy Notices
Consumer-facing privacy notices must be in place by January 2020. If you don’t have one completed yet, they should be one of your first action items.
CCPA privacy notices must be publicly available “at or before the point of [data] collection” and should be as transparent as possible. You’ll want to work with your legal counsel to draft a policy that includes:
- What kind of information you collect
- Why and how you process this information
- How users can request access to (or deletion of) their personal data
- How you plan to verify the identify of a person who submits a request
- Whether you sell personal data and how consumers can opt out of this practice
- A description of standard consumer protections under California law
At this time, you can maintain a separate privacy notice for California residents, or you can create a single universal policy. However, this may change in the future if other states enact similar data protection laws.
Employee-facing privacy notices are another mandatory aspect of CCPA compliance, although these do not need to be completed until January 2021. From that point on, you’ll need to update both sets of disclosures on a yearly basis.
Update Your Website and/or Mobile App
On the back end, you may implement a solution that automates the management of consumers’ opt-out preferences. However, this is not required for CCPA compliance; you can process these requests in any manner that is most appropriate for your business.
Create a Workflow for Managing Data Rights Requests
Once you’ve established the channels for your data access requests, you’ll need to determine who will be responsible for managing these requests. Work with your Operations team to identify a plan for handling each access request that you receive, as well as a plan for documenting the steps that are taken.
As part of this process, you may want to organize your data to streamline the process of responding to requests (Under the CCPA, companies have 45 days to produce a copy of the consumer’s information.) You can be asked to provide this information at any time, but are not obligated to provide it to a consumer more than twice in a 12-month period.
Create and Implement an Incentive Program
The CCPA allows companies to offer consumers incentives for consenting to the use and/or sale of their data. If you plan to do this, determine which incentives you plan to offer within the confines of the law. You may want to work with your Marketing team to construct, implement, and promote this program.
Decide if You Want to Extend Your Efforts (Either Now or In the Future)
While the California consumer protection act is the first of its kind in the U.S., many experts believe that it will serve as a foundation for comparable laws in other states (or even on the federal level). As a result, some companies, such as Microsoft, have committed to apply California’s new privacy rights to consumers throughout the entire United States. Depending on the resources you currently have available, you may want to evaluate if a similar initiative is reasonable for your company as well.
Invest in Training & Education
As with any compliance effort, your CCPA program may change over time. This is especially true if you’re taking a more proactive approach and enacting broad privacy goals, rather than implementing the minimum viable policies to comply with the letter of the law.
As you build your program, set aside resources for company-wide compliance training, ensuring that all employees – not just those in IT or Information Security – clearly understand their responsibilities, as well as the consequences of non-compliance.
Discuss Your Options with a Compliance Assessment Firm
As of December 2019, there is no industry-standard CCPA compliance examination. However, as companies implement new strategies to comply with the law – and consumers come to expect a higher level of protection – they can still request third-party validation of their efforts.
At 360 Advanced, our security professionals stay at the forefront of the latest privacy standards – including state and federal regulations for consumer data protection. We can help you review your current compliance initiatives in the context of consumer protection frameworks (including the California Consumer Protection Act and the General Data Protection Regulation), helping ensure that you are taking appropriate steps toward protecting your customers’ data.
For more information about CCPA compliance, contact us today.
This article is for general informational purposes only and does not constitute legal advice and should not be acted upon as such. Please contact an attorney to obtain advice on any specific legal issues.