5 steps to prepare your organization for the California Consumer Privacy Act

Register now

If you have experience with GDPR, the General Data Protection Regulation, you already know that achieving compliance is a rigorous process that requires a structured plan, diligence and time.

Now, similar regulations are in place, governing businesses based in the U.S. One of the most prominent of those is the California Consumer Privacy Act (CCPA), a data privacy regulation that was signed into law on June 28, 2018, and goes into effect January 1, 2020. If your company does business with consumers in California, it’s likely that the CCPA is on your radar already.

How do you know if your organization needs to comply with CCPA? In short, compliance is mandatory if your for-profit organization does business in California and answers yes to one or more of the following:

  • Has annual gross revenues in excess of $25 million, or
  • Buys, sells, or shares (alone or in combination) the personal information of 50,000 or more California consumers, households, or devices for commercial purposes, or
  • Derives 50 percent or more of annual revenues from selling California consumers’ personal information. ⁠

Before this new regulation goes into effect, organizations need to approach CCPA compliance by first understanding the rules and requirements of the regulation. They will learn that a critical aspect of complying with CCPA is having the capability to quickly and easily demonstrate steps taken towards compliance. Most importantly, they will need to provide auditors the appropriate information and documentation proving that they have applied the proper compliance procedures.

Preparing for CCPA Compliance

Take a Data and Systems Inventory

The first step, taking an inventory of your data and the systems that handle data, is foundational. If you haven’t taken this step, you can’t govern the use of the personal data your systems house, and, of course, you cannot become compliant with CCPA.

Here’s a straightforward approach to taking this vital step:

  • Conduct a thorough inventory of your enterprise data and systems to understand where all Personally Identifiable Information (PII) resides, as well as how it flows throughout your entire organization.
  • Conduct an inventory of your assets, your business processes, and the vendors you work with.
  • Make certain your systems allow for easy access and retrieval of PII so that you can quickly identify where personal information is located.
  • Confirm that the third parties with whom you share PII also have a PII sharing policy in place.

Assess and Revise External Privacy Notices and Policies

CCPA requires that businesses disclose specific information to consumers. All mandatory disclosures will need to be made in the online “Privacy Policy” statement. California consumers have the legal right to force companies to not only delete their personal information, but also disclose what PII has been collected about them, to demand the reasons for collecting it, and to order them to refrain from selling any of it.

Ensure that your organization maintains a collection notice, a consumer rights notice, and an authorization-of-collection notice. Those notices must be kept up to date and be displayed prominently on your website.

Implement a Consumer Rights Request Process

Addressing requests from consumers is a key requirement with CCPA. Businesses must provide two or more means for consumers to easily make “rights requests.” Those means could include providing a toll-free phone number and a website address that are easily accessible to consumers (and without having to create an account). The request process should include the following:

  • Receive consumer requests and determine the legitimacy of the requests.
  • Verify that consumers can securely communicate requests.
  • Fulfill requests within 45 days, and at no cost to consumers.
  • Track or audit the history of consumer requests for use in the event of any legal disputes.
  • Ensure that your systems enable you to honor all consumer requests within 45 days.

For larger organizations, I recommend creating a template and workflows for handling consumer requests. The process can become complex, but templates and workflows can help ensure quick responsiveness.

Install a “Do Not Sell My Personal Information” Button

Organizations need to provide an easily locatable link – on their home page: One of the links must say, verbatim, “Do Not Sell My Personal Information.” The second link must be titled “Opt-Out,” by which a consumer prohibits the sale of his or her personal information.

Document Compliance with “Do Not Sell My Personal Information” Requests

Ensure that your organization documents all the third parties to which it sells personally identifiable information. Doing so will enable you to alert those parties to stop processing that data on receipt of a request by the consumer. CCPA states that no organization can sell any personal information for at least 12 months after a request is received.

By attending to these five critical steps, you will be well on your way to becoming CCPA-compliant by January 1, 2020. Still, if there’s a watchword I can offer, it would be this: act early and act often. There’s everything to be gained in building and maintaining the trust of your customers. Their PII is sacred to them; it must remain sacred to you as well.

For reprint and licensing requests for this article, click here.