CCPA Compliance Checklist for the New California Privacy Law
The California Consumer Privacy Act (CCPA) is the next privacy compliance challenge for businesses – so we have built a quick compliance checklist of the major points. If you are looking for CCPA compliance software to help your organization fulfill these needs, call Clarip at 1-888-252-5653 to schedule a demo of our enterprise privacy management software including DSAR Portal and consent management.
Here is an overview of the key requirements of the new California privacy law:
Disclosures
– Disclose the rights provided by the CCPA and how to exercise them.
– Provide the categories of personal information collected and the purpose in the prior 12 months.
– Provide the categories of personal information sold in the prior 12 months.
– Update every 12 months, or before new personal information is collected or the information is used for a new purpose.
The CCPA law provides for specific disclosures to consumers in addition to the information that must be provided as part of the right to access. It specifically requires that consumers must be told in the privacy policy about their rights under the California privacy law and how to exercise them. They also must be told certain information about the company’s collection, usage and sharing of the personal information over the past 12 months.
GETÂ OUR FREE WHITE PAPER ON THE NEW CALIFORNIA LAW …
– Determine whether organization is engaged in the “sale” of personal information
– Add “Do Not Sell My Personal Information” link to home page and privacy policy.
– Stop selling PI of individuals under 16 years of age without opt-in consent
– Provide individuals of 16+ years of age with the ability to opt-out of the sale of personal information.
– Limit subsequent sharing to the service provider exception.
– Honor request for opt-out for at least 12 months before attempting to obtain consent to sell personal information again.
The “opt out” for the sale of personal information is a key feature of the new law that has been somewhat controversial due to the broad and perhaps nontraditional definition of the word sale. Organizations need to give individuals the right to opt out of any sales (for those 16 years of age or older) and limit sharing after a consumer sends their opt out request to only those third-parties that meet the requirements of the service provider exemption under the law.
Right to Access:
– Provide 2 options for consumers to request their personal information – an 800 number and another method, such as a webpage.
– Verify the consumer request.
– Provide required personal information electronically in a portable format within 45 days, or by mail. Identify the sources of information, the purpose for collecting it and the categories of third parties if personal information was “sold”.
This core feature of the law may be one of the toughest for businesses to implement, as they need to track down the location of all of the consumer’s personal information within their business. In order to accomplish it, many businesses will be conducting a data inventory or data mapping as part of their compliance preparations.
Right to Delete
– Gather information from the California consumer for the request.
– Use the information to verify the consumer request is valid.
– Determine none of the exceptions permit the business to retain the records.
– Delete the personal information that is not covered by an exception.
– Direct service providers to delete records.
Starting in 2020, California will require businesses to permit consumers to delete their personal information. If there is a valid request that can be verified by the business, they must delete the data. There are nine exceptions specified in the law. If one of these exceptions is not met, the consumer’s information must be deleted and a request sent to service providers to also delete the information.
Cybersecurity: Implement and maintain reasonable security procedures and practices appropriate to the nature of the information.
The CCPA provides for consumers to bring a class action seeking statutory damages of between $100 and $750 in certain cases of data breaches. Organizations need to implement a reasonable cybersecurity program in order to defend against such litigation. If there is a data breach and they did not have reasonable procedures and practices in effect to maintain the confidentiality of the personal information, then they will be facing the prospect of damages that could easily reach over $1 million dollars if more than 10,000 people are impacted.
The law does not specify the procedures which are reasonable. There is some possibility that this will be identified during the California Attorney Generals rulemaking process. If the CaAG does not issue regulations which would clarify the scope of what is reasonable, then businesses will be required to defend the reasonability of their procedures in a court of law.
Privacy Training: Train all individuals handling consumer inquiries regarding privacy practices about the law and how consumers can exercise their rights.
At a minimum, the CCPA requires privacy and compliance professionals that may handle consumer inquiries be trained about the rights provided by the law and how they may exercise them. This would include, for example, the individuals staffing the required 800 number and those that are receiving and responding to consumer inquiries for information under the right to access and delete. If other personnel (such as a store clerk) are also tasked with answering questions rather than directing the person to other individuals / resources, they would also need training.
Additional Areas
There are a few other areas that are covered by the CCPA privacy law. These include the deidentified / aggregate information and the discrimination clause / financial incentives program. However, this checklist provides a simple introductory verson of the California law for organization’s looking to get a quick handle on it. For additional information about the law’s complexities, please request our CCPA white paper.
Although we had already built a long overview to summarize the law, we thought that a quick compliance checklist would help businesses as they seek to begin preparations. The law goes into effect on January 1, 2020 (even if enforcement is delayed for a few extra months due to delays in issuance of the publication of the final regulations), so don’t delay in your preparations.
Contact Clarip for CCPA and GDPR Software
The Clarip privacy management software is ready to help improve your organization’s privacy practices. Click here to contact us (return messages within 24 hours) or call 1-888-252-5653 to schedule a demo with a member of the Clarip team.
If your immediate need is California Consumer Privacy Act compliance, take a look at our CCPA software. From consent management to powerful DSAR Software, Clarip offers enterprise privacy management at an affordable price.
Still working on GDPR compliance? We understand! Our GDPR software tools offers a range of options from data mapping software, DPIA automation, and cookie management for ePrivacy.
CONTACT US TO SCHEDULE A DEMO OF THE CLARIP SOFTWARE PLATFORM …