The California Consumer Privacy Act (CCPA), widely regarded as the most extensive consumer privacy law in the United States, is set to be implemented on January 1, 2020. This landmark legislation on data protection is also considered as one of the toughest privacy-related laws in the world and poses a challenge to all businesses that collect personal information from consumers of California.
Similar to the General Data Protection Regulation (GDPR) that protects personal data of all European Union-based residents, the CCPA applies to all business entities regardless of their location. It gives California residents control over how their personal data is handled.
As the date of CCPA implementation nears, this comprehensive guide to CCPA compliance will discuss everything you need to know about this historic privacy law.
The CCPA applies to all business entities that collect personal data of consumers in California. This covers all companies regardless of their size and location, meaning a company that operates in another state or country is still covered by the CCPA if it deals with California residents.
However, the territorial scope and the function of a business aren’t the only criteria under the CCPA. It should also meet at least one of the following conditions — annual gross revenue of more than $25 million; data handling of a minimum 50,000 consumers, and half of its revenue coming from the selling of personal information.
Speaking of personal information, the CCPA has an expansive definition of this term. According to the new regulation, it is any information that can identify, relate to, describe, associate with, or link either directly or indirectly with a particular consumer or household. Considering this definition, it can be said that identifiers like name, postal address, email address, account name, driver’s license number, social security number, and other similar identifiers are covered by the legislation.
The expansive definition also means Mac addresses, IP addresses, location data, educational background, work history, and browsing history, amongst others, are considered personal information. The CCPA specifies that inferences drawn from personal data to create a profile about a consumer reflecting his preferences, predispositions, attitude, behavior, and aptitude can also be considered as personal information.
Given the broad definition of consumer data, it is expected that the law will impact data collection on devices like smartphones, gaming consoles, and even software and apps.
The term ‘consumer’ is also broadly defined by the CCPA. It pertains to any individual who resides in California or is in the state except for a temporary or transitory purpose.
Under the CCPA, consumers in California have the following four basic rights regarding collection and handling of their personal information:
- Right to know. Consumers have the right to know what personal data about them has been collected. As such, consumers are entitled to know where their personal information was sourced from, for which purpose it will be used for, and to which party it is being disclosed or sold. They can request a business entity to disclose specific categories and pieces of personal data collected about them in the last 12 months.
- Right to opt out. This new legislation gives consumers control over the parties they have consented to collect their personal information. As such, they can opt out of their allowing an entity to sell personal data to third parties. For minors or those aged 16 years and below, they have the right not to sell their personal information unless their parents opt in to consent data collection.
- Right to delete. Consumers in California have the right to request a business entity to delete their personal information. This right, however, is subject to certain exceptions such as when the personal data is necessary to complete a contractual transaction.
- Right to equal service. They also have the right to gain equal pricing and service from a business entity even if they have exercised their privacy rights. In simpler terms, this means that consumers should not be discriminated for exercising their rights under the CCPA. Hence, they should not be denied goods or services, charged different prices or rates, or prevented from getting a different quality of goods or services.
Any business entity, service provider, or individual found to have violated the CCPA will have to pay not more than $2,500 for each violation or up to $7,500 for each intentional violation.
Understanding the coverage of and consumer rights protected by the CCPA is the initial step towards CCPA compliance. In simpler terms, a business entity should first determine if it is covered by the CCPA before undertaking steps towards complying with the law.
With the enforcement date of the CCPA just around the corner, it pays for covered businesses to start preparing a CCPA compliance checklist. Firms that have had to comply with the GDPR will find California consumer privacy act compliance a piece of cake. But for those that did not, below are some vital steps to CCPA compliance:
1. Map consumer data
Companies that are covered under CCPA should start their journey towards compliance by mapping all personal information under their control. Some questions that can be asked and used as a guide in mapping consumer data are outlined below:
- What personal data are collected and possessed?
- How is personal information collected?
- How and where are the personal data gathered?
- Are the personal information shared with other parties?
Mapping consumer data can enable organizations to get ahead of the CCPA compliance curve and start developing strategies to mitigate risks. It can also serve other purposes such as refining data collection practices, developing new internal policies, redesign of information technology infrastructure for timely data access and control.
2. Update privacy notices
A business entity covered under the CCPA is thus required to show a privacy notice to their consumers on their respective websites. The notice should be at or prior to the point of collection, informing consumers of the categories of personal data that the company collects and the purpose of this undertaking. It should also explicitly state the rights that consumers now have under the CCPA.
These disclosures, which should be ready by January 1, 2020, are considered a vital part of CCPA compliance. These should be updated yearly. Moreover, disclosures and information provided by an entity should be easily understandable to the average consumer meaning these ought to be in a language commonly used and widely understood by the general public.
3. Implement procedures to promote consumers’ rights
It is also critical for covered business entities to implement procedures that promote the consumer rights protected by the CCPA such as the rights to access, delete, opt out of the sale of personal data, non-discrimination, opt-in for children, and changes to privacy notifications.
Business entities covered under the CCPA are obligated to honor the requests of their consumers pertaining to their right to access personal data. Organizations are required to disclose information by electronic or physical mail which should be free of charge. Consumers are allowed to make a maximum of two requests within a period of 12 months.
It is also an obligation for organizations covered under the CCPA to honor requests of their consumers to delete their personal data. However, organizations can reject a request if it falls in any of the following exemptions:
- Transactional– if the personal data is needed in the completion of a transaction, performance of a contract, or to further a current business relationship.
- Security– if the personal information is to be used in detecting security incidents or charge those responsible for these criminal activities
- Errors– this exemption lets entities keep server logs and other information to identify and correct errors in their software programs.
- Free speech
It is forbidden for business entities to force a consumer to create an account to opt-out as well as to use any data collected on the consumer. Moreover, the CCPA is clear that it should take 12 months after the opt-out process before covered parties invite a consumer to opt-in to the sale of their personal data.
With the number of requests expected to be received once the CCPA implementation begins, it is imperative for concerned parties to establish and maintain response process workflows including a database or records system. Integral to this is a request channel for consumers to use such as an app, a dedicated webpage, phone or fax number.
There should also be protocols to authenticate the consumer requests. For example, covered parties have to verify if a request indeed came from an actual person before processing it. Other protocols have to be established for documenting, responding, and deleting requests.
Employees should also be trained on these new processes so they can carry out requests accordingly. Covered parties must also synchronize their CCPA records with other databases to update all consumer records.
4. Update Agreements with Third-Party Processors
Businesses which tap third-party service providers to process data must also update their contracts to comply with the CCPA. Modifying contracts with third-party service providers and even affiliated companies can prevent the selling of personal information. Contract updates should include, among others, requiring data inventories, using standard contractual-clause language, due diligence questionnaires, request for records of processing, and on-site assessment and auditing.
5. Engage a CCPA compliance assessor or security advisor
Partnering with a full-service CCPA compliance assessor or security advisor can do wonders for entities covered under the new legislation. Engaging the services of a CCPA compliance assessor/security advisor should enable covered institutions to better evaluate their data privacy and security policies, identify gaps between practices and CCPA requirements, and learn corrective actions that can be taken in preparation for a CCPA audit.
The firm can help covered entities in complete the following compliance-related tasks:
Search and classify CCPA-affected information
The security advisor can automatically search, identify, and classify CCPA-affected data, whether it is in the cloud or on-premises. Covered entities can thus more easily locate personal data, create reports, and address security vulnerabilities.
Process data subject requests
The security advisor/CCPA compliance assessor can help the covered entity find data related to a consumer’s request. From locating relevant files to pinpointing who has access, the third-party service provider can be of significant assistance in processing data subject requests.
Protect consumer data
The security advisor can aid in identifying and monitoring consumer data. The firm can also detect unusual activity and report on any suspicious behavior on consumer information.
Design a security policy to meet CCPA compliance
The security advisor or CCPA compliance assessor can also help affected firms design and implement a security policy that can meet the compliance requirements of the CCPA.
Companies like RSI Security can be of assistance to firms looking to comply with the requirements of the CCPA. RSI Security is one of the top cybersecurity firms in the United States. Working with some of the leading companies and institutions in the world, RSI Security assists various entities in managing their IT governance and compliance efforts.