Complying with California’s Consumer Privacy Act (CCPA)

What is CCPA?

The California Consumer Privacy Act (CCPA) is a law that was enacted in June of 2018 and will be effective come January 1st, 2020, with Attorney General enforcement starting on July 1st, 2020. This law is designed to give California residents access to their data being held by companies anywhere in the nation. This is similar in many ways to the General Data Protection Regulation (GDPR) which was implemented in the European Union in 2018, with several key differences. The major difference is that GDPR applies to any data that can identify the consumer (personally identifiable information, or PII), however CCPA is much broader in that it can be any data that can be associated to a consumer or a household.

Who is required to comply?

Though this is a California privacy law, it applies to many organizations across the nation. Whether you are a company located in California collecting data from consumers, or you are an organization on the east coast collecting any data from a California consumer, the CCPA may apply to you. For starters, only for-profit organizations are subject to CCPA. You are required to comply if you are a for-profit organization that meets at least one of the following criteria:

• Annual gross revenue over $25 million
• Receive or share personal information from more than 50,000 California residents annually
• Half of the organization’s revenue comes from selling California residents’ data

How to Comply:

The first step that all organizations should take to comply with the CCPA is to make sure their data inventory is up to date. What does this mean? Know where your data is, what state the data is from, and ensure that it is secure. When a California consumer comes to your organization and requests access to their data and your organization can’t locate it in your database, you could quickly run into financial and legal consequences. It is critical to be able to successfully navigate your database so that if requests come in, they can be handled in a timely manner. Residents have the right to access their information as well as the right to request its deletion, if they so choose. An accurate data inventory is key to fulfilling both these requests, as well as a mechanism to effectively provide the consumer access to the data, or to delete it.

The next thing an organization should do to better comply with CCPA is to implement data retention and disposal policies and procedures to remove any unnecessary data. The CCPA requires that all unnecessary data be disposed of if there is not a business need for that data. All data that your organization retains is legally your responsibility. By making sure that you aren’t hanging on to old data, you are protecting yourself in the event of a breach. This also ties into our first step of having an accurate data inventory so you know what should be retained and what needs to be deleted.

Third, identify any third-parties processing data. Third-parties are defined as any persons or entities that receive consumer information that are not part of the business or a service provider. You need to determine how much access these third parties have to the data, and then provide an opt out opportunity to all consumers.

Finally, ensure that your organization has an updated privacy policy that includes consumer notification, and provides consumers the right to opt out if a business wants to sell their data. Organizations need to post their privacy policy to their website and must also provide notice to consumers regarding how their personal information will be used. The notice must explicitly indicate the categories of their personal information that are collected, disclosed, or “sold”, and that they have a right to opt-out of this selling.

Compass IT Compliance offers CCPA Assessments to assist your organization in identifying whether you fall under this law’s scope and what CCPA-specific risks may be present in your consumer data environment. The CCPA Assessment provides an evaluation of your organization’s current level of compliance with the regulation and helps identify and prioritize the key work areas that your organization must address related to CCPA. For more information on CCPA, please contact us for further guidance!