In our previous blog post on the California Consumer Privacy Act (CCPA), we compared this new data protection law to the European Union’s General Data Protection Regulation (GDPR).
In this final installment of our CCPA series, we will look at creating a compliance checklist to prepare for January 1, 2020, the CCPA effective date.
For a summary of the CCPA, its requirements, and what data is defined as “personal information” (and what is not covered), check out our first blog post in the series California Consumer Privacy Act of 2018 – A New Consumer Privacy Law You Need to Know.
As we saw in our comparison of the CCPA and GDPR, there are some areas where these two do overlap. However, being GDPR compliant does not ensure full compliance with the CCPA.
What should companies be doing now to prepare?
- Determine if your company is required to comply with the CCPA.
- Directly: For-profit established in California that collects data on California residents as a Controller (i.e., determines the purpose and means of processing the data) and the company
- Has annual gross revenues in excess of $25,000,000, OR
- Annually buys or sells the personal information of 50,000 or more consumers, households, or devices in California, OR
- Derives 50% or more of annual revenues from selling consumers’ personal information.
- Indirectly: A parent or a subsidiary of a company that shares branding with a company that qualifies directly under the CCPA
- Companies that qualify indirectly do not have to be established in California, be for-profit, or sell personal information.
- Not all consumer personal information is covered by the CCPA. If you are not certain about the status of your company, contact your Legal department.
- Designate a team to manage your organization’s efforts.
- The team should include stakeholders from Legal, as well as those who know and understand current data systems and processes.
- Create a thorough data inventory and mapping, as well as a data management plan, for all personal consumer data from the last 12 months. Include all data that is
- Personal information sold or shared by the company
- Right to Know
- Right to Be Forgotten
- Right to Opt Out of Sale to Third Parties
- Include your “Do Not Sell My Personal Information” page link
- Test and confirm that your systems and processes for collecting, transmitting, processing, or storing in-scope consumer personal information can support required activities.
- Verification of customer requests
- Ability to respond to all customer requests within 45 days
- Submit a request for information disclosure
- Track the number of requests by a consumer in a 12 month period
- Provide a version of the requested data in a user-friendly CCPA-defined format
- Submit a request for deletion
- Ability to delete personal information in 45 days
- Submit an opt-out request for the selling of information
- Ability to enforce an opt-out for selling for a 12 month period
- Submit an opt-in request for those under the age of 16
- Enforce not selling data of those under the age of 16 without an opt-in
- All personal data is secured during collection, transmission, processing, or storing
- Documentation and audit trails of all actions.
- If systems cannot support these activities, they must be remediated before January 1, 2020.
- Update your company’s website to include
- A toll free phone number for information requests
- A “Do Not Sell My Personal Information” link and request form
- An “Information Disclosure” request form
- A “Right to Be Forgotten (Deletion)” request form
- At the points of personal information capture, a notification that information may be sold, if applicable.
- You may create a new section of the website to house CCPA-specific information and functionality for California residents, if needed
- Create and document processes for responding to customer requests for personal information disclosure, deletion, and not sell to third parties.
- Update any Service Level Agreements (SLAs) with 3rd parties that purchase and/or process consumer personal data and ensure that they are CCPA compliant.
- Create a privacy awareness training plan for employees and complete the first round of training prior to January 1, 2020