On June 28, 2018, California enacted AB 375, commonly referred to as the California Consumer Privacy Act of 2018 (CCPA). The enforcement of CCPA is scheduled for January 1, 2020.
- CCPA offers consumers additional privileges to access and oversee their personal information. As currently adopted, the law expands consumer’s rights of access to and control over how their data is gathered, utilized, sold, and disclosed radically.
- Enterprises will need to change their operations, policies, and processes to comply with CCPA.
In this article, we provide a CCPA compliance checklist for your organization to help you prepare for the upcoming deadline.
- Evaluate whether CCPA Applies to your Company
The first step is to assess whether your company falls under the scope of CCPA. As currently approved, this law applies to companies that;
- Collect personal data from California’s residents and have yearly gross revenues exceeding $25 million
- Process the personal data of 50,000 or more California consumers, households, or devices.
- Derive 50% or more of their yearly income from selling the data of California consumers.
You should be aware that CCPA has wide applicability meaning that it safeguards the personal data of California consumers even when they are out of the state. For this reason, the ‘geofencing’ tactics employed to avoid compliance with GDPR may not suffice in the case of CCPA.
- Analyse and Monitor your Data Collection Techniques and Information Sources
You need to have a strong comprehension of the kind of personal data your company is gathering, how it is processed, and with whom it is shared. The CCPA will oblige you to reveal collected information to consumers who ask for it, as well as informing them about your data collection practices before you gather personal information.
Therefore, consider creating a system of infographics that capture the lifecycle of collected information, and data flow maps to pinpoint a consumer’s data. This approach will also be crucial to your recordkeeping objectives.
- Document your Data Handling Activities
Once the CCPA comes into effect, consumers in California have the right to request a business to provide specific disclosures connected to the processing of their data within the year before the request is made in a readily usable format.
Technically, this point implies that companies should already be maintaining records regarding their information processing activities to allow them to respond to these requests once the CCPA comes into effect on January 1, 2020.
- Evaluate Policies and Determine gaps with GDPR
One of the primary misconceptions is that GDPR compliance eliminates the need to comply with CCPA. Although companies should synchronize their GDPR and CCPA compliance strategies, they should also take into account the differences between the regulations.
As such, companies should implement measures focused on identifying gaps in their current procedures that violate CCPA requirements, determine procedural issues that compliance with CCPA may introduce, and develop a plan on how to become compliant.
- Examine Third Parties
A crucial obligation under CCPA is to give users a chance to opt-out of the ‘sale’ of their data.
However, the descriptions of what’ personal data’ and ‘sale’ entail are extensive under CCPA. Additionally, companies are extended a ‘safe haven’ for non-compliance by their service providers if specific oversights with the third party have been instituted.
For this reason, review all third parties that you work with and the contracts you have with them, both in terms of parties to whom data is transferred and counter-parties when the business is a recipient of data.
- Assess External Privacy Policies and other User Disclosures
This regulation calls for specific revelations to be made to consumers. Examining current disclosures and obligations made by the firm can facilitate the determination of any missing revelations and pledges as needed by the CCPA
- Develop Strategies on how to Inform Consumers about CCPA Compliance
Craft a uniform, public-focused communiqué that tells consumers about your business’ status on CCPA compliance. This message can be utilized in case a consumer inquires about CCPA. The message should be distributed within the firm to guarantee that your staff is aware of how to effectively communicate your company’s CCPA compliance status.
- Promote Agility
Although it is advisable to take steps to become compliant while awaiting regulations from the Attorney General, you need to be adaptable should the rules shift the goalposts for your strategies. CCPA has been subject to several amendments, some of which have been approved, others stalled, and others considered ‘dead.’ Therefore, your compliance plans need to be flexible when the final regulations are released by the AG to ease the compliance process.
- Track State and Federal Privacy Developments
CCPA will not be the final data privacy regulation that your company will be subject to. There are several new state regulation in the pipeline including proposed laws in Washington and New York.
The Federal Administration has also sponsored new data protection bills, comprising one that can forestall state regulations including CCPA. Consequently, keeping tabs on current data protection developments will be crucial to anticipating and responding suitably to legal modifications that have an effect on your business.