Time is running out. The California Consumer Privacy Act (CCPA) goes into effect January 1st 2020, and businesses need to be taking the steps necessary to comply. The new law is widely considered to be the most comprehensive privacy regulation in the U.S. to date and won’t just affect businesses operating within the state of California. Instead, any organization that collects the personal information of California residents might be subject to the new regulation. It’s important that every business reviews the regulation to understand whether they will be required to comply.
And while the CCPA has many similarities to the E.U.’s General Data Protection Regulation (GDPR), organizations should not assume that compliance with one automatically means compliance with the other. It’s therefore essential that any business potentially affected by California’s new law understand what compliance entails and take steps to put any necessary new systems in place.
Compliance: The Essentials
Inventory California Data
Really, it’s always a good idea to conduct an inventory of the data collected and processed, but it’s going to be especially important for compliance with the CCPA. Because the regulation gives consumers the right to request information about how their data is used, the first step will be to conduct and maintain a comprehensive inventory of your data. This should include not only what data you’re collecting, but also how it’s collected, where it’s stored, and who it’s shared with.
It’s important to note that “personal information” covers more than just names and addresses. It also includes, among others, biometric data, geolocations, and internet activity. Really, any information that can be linked back to an individual will fall under the scope of the CCPA.
Develop Systems to Process Consumer Requests
After conducting a throughout inventory of this data, organizations will need to put in place procedures to quickly and accurately processing consumer requests to access this information. Under the CCPA, consumers have the right to request information on what data is being collected and who that information is being shared with.
The regulation requires organizations to provide at least two methods for requesting this information, including at minimum a toll-free number and a webpage designated for requests. Once a request is made, businesses need to be able to quickly process and fulfill them. The CPPA requires all requested information to be delivered to the consumer within 45 days of the request.
For most businesses, this will be the toughest aspect of the regulation to put in place. To help, there are a number of automated tools that can assist with processing. We also recommend having someone on staff certified in privacy through the IAPP or have someone on retainer who can assist with the process.
Introduce an Opt Out Link on the Homepage
Under the CCPA, businesses will need to include a link on their homepage allowing users to opt out of the sale of any personal information. The regulation requires that this link needs to be “clear and conspicuous” and be titled “Do Not Sell My Personal Information.” Consumers also need to be able complete the opt out request without having to create an account.
Update Privacy Policy
The CCPA will require businesses to update their privacy policy. According to the regulation, privacy policies will now need to include a description of consumer rights under the CCPA as well as a list of the types of personal information the company collects, shares, and sells with other entities. The privacy policy should also include the link to the “Do Not Sell My Personal Information” page.
Review Overall Cybersecurity Policies and Practices
On a more general level, businesses should also take the time to ensure their cybersecurity policies and procedures are up to snuff. According to the CCPA, if an organization experiences a data breach, they will be considered responsible and be subject to fines if the state deems the organization to have “failed to implement and maintain reasonable security procedures and practices.” There will likely be more clarification on what “reasonable security procedures and practices” entails once the regulation goes into effect, but organizations should play it safe and ensure they have a strong cybersecurity system in place to safeguard against potential liability.