The California Consumer Privacy Act (CCPA) is having a big impact on privacy standards throughout the United States. Businesses have many options for CCPA compliance, from off-the-shelf solutions and tools that make the transition as easy as possible to pricey consultants. But the better a business understands CCPA legal requirements, the better prepared it will be.
Quick checklist for CCPA compliance:
- Update privacy notices
- Maintain a data inventory
- Ensure consumers’ rights
- Make security updates
- Exceed minimum requirements
- Train staff on compliance protocols
There’s now an entire industry based on collecting and monetizing data. Businesses claim that they collect consumer data to provide more personalized consumer experiences. But this immense and seemingly ubiquitous industry’s practices are often invisible to the individuals whose personal data is bought and sold.
The EU’s General Data Protection Regulation (GDPR) and California’s CCPA are the two most consequential legal responses to concern about corporations collecting individuals’ private data.
These laws mandate business transparency regarding data collection and monetization to prevent consumer exploitation and manipulation.
Working through this CCPA compliance checklist will help you comply with CCPA and avoid fines and litigation. CCPA compliance can also enhance your brand because it shows your customers that you’re committed to ethical data practices.
Update privacy notices
Maintain a data inventory
The CCPA requires companies to issue a notice informing consumers what personal information they collect and for what purpose. The notice must explicitly inform consumers of their option to opt out of data collection.
Most companies will need to update their privacy policies to describe new consumer rights afforded by the CCPA.
Businesses must decide whether they will have separate policies for California residents or apply CCPA-compliant policies to all consumers no matter where they live. Many businesses find that extending CCPA and/or GDPR protections to all their customers is simpler than running parallel systems, because of the constant risk of accidently falling out of compliance.
The CCPA requires businesses to create and maintain a database that tracks their data processing activities, including third parties, products, devices, and applications.
A GDPR-compliant company has a good head start, but CCPA compliance requires a few additional steps, according to the law firm Dickinson Wright. These steps include
- Identifying whether the data is sold
- Disclosing which categories of personal information are transferred to third parties
- Determining what personal information is covered by HIPAA, the Fair Credit Reporting Act, or any law that would exempt the data from the scope of the CCPA
- Identifying data collected more than 12 months prior to the enactment of the CCPA, which could be exempt
Ensure consumers’ rights
The CCPA specifies a list of consumers’ rights:
- Right to notice. A business must properly notify consumers about the categories of information they’re collecting and the purposes behind this data collection.
- Right to request. Individuals have the right to request that a business disclose and deliver the personal information that business has obtained about them. If the business can verify the individual’s identity, they must fulfill the request.
- Right to know. Consumers have the right to request that a business collecting their personal information disclose the categories of information collected, the sources from which it was collected, the business purpose of collecting the data, and the specific information collected.
- Right to delete. An individual can request that a business delete their personal information. If the business verifies that individual’s identity, they must delete the information they have collected about that individual.
- Right to opt out. Businesses must allow customers to opt out of the sale of their personal data, and they must make the process easy by including a conspicuous “Do Not Sell My Personal Information” link on their website. The link must go directly to a straightforward request form.
- Right to equal service and price. Businesses cannot deny goods and services or impose penalties against consumers who exercise their privacy rights.
Businesses must have a system and procedures in place to respond within 45 days of receiving a verifiable consumer data request.
Make security updates
The CCPA imposes penalties on companies for security breaches that expose consumer data. Liability for data breaches rests with the entity that collects the information, not third parties like cloud storage providers.
Companies should properly vet vendors for CCPA compliance prior to signing a contract with them. In addition, businesses must understand how data moves between systems to determine the points at which they or their vendors are responsible for data safety. Vendors should be able to demonstrate their understanding of regulatory standards and the fact that they comply with those standards.
Exceed minimum requirements
Regulations set by the CCPA are the bare minimum required to avoid penalties. The CCPA is just the start of a new era of governmental oversight of the data industry. Shrewd businesses view the CCPA as an opportunity to establish practices and safeguards that instill a compliance culture capable of easily adapting as data protection laws become tougher.
For example, the CCPA requires businesses to respond within 45 days of receiving a request to delete personal information. A company that routinely responds within 30 days doesn’t have to worry about tougher laws to come.
Train staff on compliance protocols
The CCPA requires companies holding personal data to train employees on mandatory data handling practices. Online CCPA training is available to teach employees how to navigate this new regulatory landscape. Many businesses retain consultants to help in the stressful early stages of bringing the company into compliance.