5 steps to prepare your organization for the California Consumer Privacy Act
If you have experience with GDPR, the General Data Protection Regulation, you already know that achieving compliance is a rigorous process that requires a structured plan, diligence and time.
Now, similar regulations are in place, governing businesses based in the U.S. One of the most prominent of those is the California Consumer Privacy Act (CCPA), a data privacy regulation that was signed into law on June 28, 2018, and goes into effect January 1, 2020. If your company does business with consumers in California, it’s likely that the CCPA is on your radar already.
How do you know if your organization needs to comply with CCPA? In short, compliance is mandatory if your for-profit organization does business in California and answers yes to one or more of the following:
- Has annual gross revenues in excess of $25 million, or
- Buys, sells, or shares (alone or in combination) the personal information of 50,000 or more California consumers, households, or devices for commercial purposes, or
- Derives 50 percent or more of annual revenues from selling California consumers’ personal information.
Before this new regulation goes into effect, organizations need to approach CCPA compliance by first understanding the rules and requirements of the regulation. They will learn that a critical aspect of complying with CCPA is having the capability to quickly and easily demonstrate steps taken towards compliance. Most importantly, they will need to provide auditors the appropriate information and documentation proving that they have applied the proper compliance procedures.
Preparing for CCPA Compliance
Take a Data and Systems Inventory
The first step, taking an inventory of your data and the systems that handle data, is foundational. If you haven’t taken this step, you can’t govern the use of the personal data your systems house, and, of course, you cannot become compliant with CCPA.
Here’s a straightforward approach to taking this vital step:
- Conduct a thorough inventory of your enterprise data and systems to understand where all Personally Identifiable Information (PII) resides, as well as how it flows throughout your entire organization.
- Conduct an inventory of your assets, your business processes, and the vendors you work with.
- Make certain your systems allow for easy access and retrieval of PII so that you can quickly identify where personal information is located.
- Confirm that the third parties with whom you share PII also have a PII sharing policy in place.
Assess and Revise External Privacy Notices and Policies
Ensure that your organization maintains a collection notice, a consumer rights notice, and an authorization-of-collection notice. Those notices must be kept up to date and be displayed prominently on your website.
Implement a Consumer Rights Request Process
Addressing requests from consumers is a key requirement with CCPA. Businesses must provide two or more means for consumers to easily make “rights requests.” Those means could include providing a toll-free phone number and a website address that are easily accessible to consumers (and without having to create an account). The request process should include the following:
- Receive consumer requests and determine the legitimacy of the requests.
- Verify that consumers can securely communicate requests.
- Fulfill requests within 45 days, and at no cost to consumers.
- Track or audit the history of consumer requests for use in the event of any legal disputes.
- Ensure that your systems enable you to honor all consumer requests within 45 days.
For larger organizations, I recommend creating a template and workflows for handling consumer requests. The process can become complex, but templates and workflows can help ensure quick responsiveness.
Install a “Do Not Sell My Personal Information” Button
Organizations need to provide an easily locatable link – on their home page: One of the links must say, verbatim, “Do Not Sell My Personal Information.” The second link must be titled “Opt-Out,” by which a consumer prohibits the sale of his or her personal information.
Document Compliance with “Do Not Sell My Personal Information” Requests
Ensure that your organization documents all the third parties to which it sells personally identifiable information. Doing so will enable you to alert those parties to stop processing that data on receipt of a request by the consumer. CCPA states that no organization can sell any personal information for at least 12 months after a request is received.
By attending to these five critical steps, you will be well on your way to becoming CCPA-compliant by January 1, 2020. Still, if there’s a watchword I can offer, it would be this: act early and act often. There’s everything to be gained in building and maintaining the trust of your customers. Their PII is sacred to them; it must remain sacred to you as well.