CCPA Compliance Guide – Requirements, Deadlines and Software Tools for California Privacy
2019 will be the year of CCPA compliance preparations as businesses get ready for its start on January 1, 2020. If your company is looking for software to prepare for the California Consumer Privacy Act, call Clarip at 1-888-252-5653 to discuss how our enterprise privacy management software and consultants can help your organization.
CCPA Compliance Challenges
The new CA privacy law will present a number of compliance challenges for organizations of all sizes over the next year. These challenges include:
– Conducting a data mapping or inventory to identify the personal information implicated by the law.
– Anticipating possible amendments by the California legislature which are expected to be considered in early 2019.
– Integrating a privacy program built for GPDR compliance with the requirements imposed by the CCPA.
– Establishing procedures and sourcing or building privacy tools to fulfill the requirements of the CCPA.
– Adapting preparations to the final regulations from the California Attorney General that are developed in the public comment and rulemaking process.
– Deciding whether to apply the new California rules to individuals located in other states (consumers residing outside California).
– Allocating resources and preparing for the new law to go into effect despite the possibility of federal preemption as Congress considers passing a new federal privacy law.
– Ensuring that security procedures and practices are reasonable.
– Building a privacy team that can respond within 30 days to a notice of a violation from the California Attorney General.
– Identifying and resolving the implications of grey areas in the privacy law and how they should/do apply to their individual case.
Organizations will face these and other tasks over the next 12-18 months as they adapt to the requirements of the privacy law.
The Compliance Date: January 1, 2020 and July 1, 2020 Deadlines
There has been a lot of confusion following SB 1121 about the start of the compliance period for CCPA. The law was originally scheduled to go into effect on January 1, 2020. However, several days before the CCPA amendment passed in August, the California Attorney General wrote a letter to the sponsors of AB 375 indicating that it would need more time to conduct the public discussion process and issue final regulation pursuant to the terms of the new law. As a result, the legislators decided to give the AG’s Office more time to issue the regulations and moved back the deadline to July 1, 2020. At the same time, a provision was added that the CaAG would begin enforcement six months after the final regulations were in place and no later than July 1, 2020.
Nevertheless, the CCPA amendment did not change the overall effective date for the law of January 1, 2020. This means that businesses will need to begin responding to opt-out and DSAR requests at that time. They may also face class action lawsuits under the private right of action at that time. In the event that final regulations are not published by December 2018, they are simply afforded a six month grace period before any government investigations and enforcement actions begin.
CCPA Compliance Checklist:
We have put together a quick overview of some of the important steps that businesses will need to take as they prepare for the California Consumer Privacy Act to go into effect. If you are looking for the “highlights” of the law, please click here to read it at your leisure.
The Four Major Areas for Privacy Compliance:
1. Sale of Personal Information
2. DSAR
3. Cybersecurity
4. Privacy Disclosures
Sale of Personal Information Compliance:
There are four major components to compliance with the CCPA requirements on the sale of personal information.
First, the categories of any sales in the prior twelve months must be disclosed in the privacy policy (discussed further below).
Second, any date for children under the age of 16 may not be sold unless they have provided opt-in consent (and their parents/guardians have consented in cases under 13 years old).
Third, there must be a Do Not Sell My Personal Information form to process opt-out requests that is linked to on the homepage and privacy policy via the required link.
Finally, after an opt-out request has been received, any transfers of personal information that fall within the definition of a “sale” must meet the terms of the service provider exemption provided in the law.
Data Subject Access Rights (DSAR) Compliance:
Organizations need to be prepared to verify consumer identities by the procedures established by the Attorney General (most likely using the information in their possession and without requiring the establishment of an account), provide consumers with the personal information they have collected about them, and delete that personal information if the consumer requests it and it is not covered by one of the exemptions. They also need to be able to direct service providers to delete records after receiving a deletion request.
In order to comply with this section of the law, businesses need to have a grasp on where personal information is located and a system to prevent requests from falling through the cracks (and thus taking longer than the specified time period).
Data Protection & Security Compliance:
Did you know that the CCPA is also a cybersecurity law? Well it is!
AB375 provides for substantial statutory damages if an organization suffers a data breach as a result of the failure to implement and maintain reasonable security practices. The California legislature amended this section in SB1121 to make clear that its private right of action and class action provision applied solely to security violations and did not apply more broadly to violations of other sections of the law.
As a result, although the law is widely regarded as the United States most advanced privacy law, it also requires that organizations enhance their cybersecurity protections against the release of unredacted and unencrypted personal information to third-parties via unauthorized access and exfiltration, theft or disclosure.
Organizations that only take the steps specified by the law with regard to privacy policies, the sale of personal information and data subject access rights will find that they could be open to millions of dollars in statutory damages owed after a breach as the law provides statutory damages of $100 to $750 per person per incident to data breach victims if reasonable practices were not in place or followed.
CCPA Privacy Policy Requirements
In addition to the disclosure requirements provided for as part of the right to access, businesses complying with the California law need to make some affirmative disclosures regarding their privacy practices in their privacy policy, through a just in time privacy notice or by other means.
These disclosure requirements include:
– A disclosure concerning the rights of California consumers under the law and the method(s) for them to exercise their rights.
– A link titled “Do Not Sell My Personal Information” which provides access to the opt-out form to stop the sale of personal information. This is also required on the overall homepage, unless there is a California specific homepage.
– A disclosure of the categories of personal information collected and sold in the past 12 months, as well as the business purposes of the personal information collected.
If an organization is going to collect additional categories of personal information or use information for another purpose, it must provide consumers with notice consistent with the law’s requirements.
Contact Clarip Today for Help with CCPA Software Tools
The Clarip team and data privacy software are prepared to help your organization improve its privacy practices. Click here to contact us (return messages within 24 hours) or call 1-888-252-5653 to schedule a demo or speak to a member of the Clarip team.
If your challenge right now is CCPA compliance for your California operations, allow us to show you our CCPA software. From consent management software to offer the option to opt-out of the sale of personal data, to a powerful DSAR Portal to facilitate the right to access and delete, Clarip offers enterprise privacy management at an affordable price.
If you are preparing your European operations for GDPR compliance, we can help through our modular GDPR software. Whether you are looking to start the process with GDPR data mapping software, increase automation in your privacy program with DPIA software, or handle ePrivacy with a cookie consent manager, Clarip has the privacy platform that you need to bolster your program.