The California Consumer Privacy Act of 2018 (CCPA) becomes effective January 1, 2020, but organizations must have certain data protection policies in place now to comply with the new legislation. Modifications to current procedures and a solid understanding of legal requirements are essential to CCPA compliance.
The CCPA increases consumers rights to access and control their personal data, giving them the say in how it’s collected, used, shared and sold. While the legislation will likely be amended before 2020, the general provisions will remain. We’ve put together a quick checklist to assess your business’s current state of readiness.
Existing Policy Review
Internal Data Collection and Data Policy Review – Your business should know what personal information it has on individuals. This includes how it’s collected, how it’s used, where it’s stored, who it’s shared with or sold to. Conduct a review of the policies your organization currently has in place and the real-time procedures followed for data security.
- What personal information will be collected and the purposes the data is used
- A statement of a consumer’s rights including steps designated methods for submitting requests
- The consumer personal information collected in the previous 12 months
- The consumer personal information sold or disclosed for business purposes in the previous 12 months
Consumer Requests- In order for businesses to be in data privacy law compliance, policies and procedures must be in place that allow consumer requests for access, to be forgotten, or the sale and share history of their personal household data. CCPA requires businesses to respond to consumer requests within 45 days with accurate information regarding
- What categories of consumer household information was collected the previous 12 months
- What categories of consumer household information was sold or shared for business purposes the previous 12 months
- The source where consumer information was collected
- The commercial purpose for the collection, sharing or selling of personal information
- The third parties consumer data was shared with
- The specific personal data collected from the household
SaaS Solutions, IT Security, and Compliance
Software and IT Solutions- Work with an industry leading data security company that provides solutions tailored to your organization for automated data processing, data subject access requests, breach notifications, and simplified opt-out tools.
CCPA grants consumers the right to access a copy of the specific personal information collected about the consumer that may be delivered electronically or by mail. Software used must be able to:
- Identify personal information the business has collected, compiling it into a portable format that can be provided to the consumer.
- Securely authenticate the consumer’s identity
- Retain personal information for 12 months with policies for secure disposal of data once it is no longer needed
- After identifying personal data, tool/procedure must enable deletion of personal information from business servers upon request from consumer
Section 1798.120 of the CCPA gives consumers the right to opt-out of the sale of their personal information to third parties. Software used must be able to:
- Authenticate consumer before responding directly to request
- Comply with Do Not Sell requests
- Prevent consumer from being asked for consent to sell for at least 12 months from their previous opt-out
- Process opt-out requests
Third Party Providers and Employees
Third Party Risk- Review and audit contracts and services with third party providers. Ensure they are compliant in their data privacy security measures in regards to consumer personal data that is shared with them. Establish due diligence and onboarding process for providers to ensure compliance.
Employee Readiness– Assess your employees’ current understanding of the law and provide effective CCPA training to enable employees responsible for handling consumer requests. In addition to training, organizations should:
- Monitor system use containing personal information
- Establish written procedures, guidelines, and standards for all IT applications used within the company
- Set policy for evaluation of prospective software solutions to evaluate compliance
- Stay current with and understand CCPA legislation and amendments