Making waves as the “domestic GDPR,” compliance with the California Consumer Privacy Act (CCPA) has become an important issue in the data world. The CCPA appeared as a result of privacy concerns after the 2016 election, when Facebook and other firms made personal information vulnerable to misuse by Cambridge Analytica.
The deadline for the California Attorney General to provide clarifications about the law approaches. Consequently companies which collect personal information from their users are scrambling to comply before the January 2020 effective date arrives. A March survey by TrustArc of 250 CEOs found that 88 percent of companies affected by the law require external help to understand their CCPA requirements, on the other hand, 72 percent are planning on investing in technology to prepare for the CCPA.
So, how will CCPA affect your business? And in addition, what investments do you need to make to prepare for compliance?
Here’s a five-step guide to preparing for the CCPA
1. Understand the definitions
Understanding of the law’s definitions, especially that of Personal Information (PI), is particularly important. Three key terms used in the CCPA:
Business: The CCPA defines a business broadly. If the CCPA applies to you, your business will fall into one (or many) of the following categories:
- With annual gross revenues in excess of 25 million dollars
- That receives, buys, sells, or shares the personal information of 50,000 or more California consumers
- That “derives 50 percent or more of its annual revenues from selling consumers’ personal information”
Personal Information (PI): Perhaps the most contentious definition in the law, “personal information” should not be confused with “Personally Identifiable Information.” The CCPA defines personal information as that which “identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” Categories of personal information include:
- Unique personal identifiers (real name, alias, postal address, IP, passport number)
- Commercial information, including records of property
- Biometric information
- Internet or other electronic network activity information, such as browser information, screen size, click data or other interaction data
- Geolocation data, or locale / region information collected by browser or inferred by IP
- Inferences… “reflecting the consumer’s preferences, characteristics, psychological trends…predispositions, behavior, attitudes, intelligence, abilities, and aptitudes”
Sell: The CCPA defines selling as “renting, releasing, disclosing, disseminating, making available, transferring…a consumer’s personal information by the business to another business or third party for monetary value or other valuable consideration.”
2. Map your data
Next, on the road to CCPA compliance, your business needs to map all PI you may have access to and with what third parties the data is shared.
To clarify, your company will need to answer the following questions:
- What systems contain PI?
- What categories of PI do our systems contain, and which category does each piece of PI fall under?
- Is PI collected directly, or obtained and sold by a third party?
- How is each piece of PI collected? (marketing campaign, online form, etc)
- What PI has been sold or made available to third parties?
- Which third parties has it been sold or made available to?
- Is PI collected for minors?
- Do consumers with PI captured also have an account?
- Can the last 12 months of PI be provided in a portable format?
Once you confidently answer the questions above for every piece of PI, you will have mapped out the scope of your data responsibility as it pertains to CCPA.
3. Create a training plan
As a result, each customer-facing employee will need to be trained on a consumer’s new rights under the law. Whatever methods your company uses to comply with the disclosure and opt-out requirements, you’ll want to train employees on the details. Consumers then become well informed about how to access their personal data using your systems and how to opt-out of further collection.
Specifically, you’ll want to plan on training your employees to explain:
- What a consumer’s new rights are under the law
- How/where a consumer can make a verified request to the business
- By when the business will respond to a verified request
- The law’s non-discrimination section, for consumers who decide to exercise their rights under the law
- a “description of consumer rights”
- a link to one or more designated methods for submitting verified requests
- separate lists of all categories of personal information that a business (a) collects, (b) sells, or (c) discloses.
These updates should provide consumers with all the information they need to exercise their new rights under the law and for your company to be in compliance with the CCPA.
5. Build a request system
Above all, a crucial step to comply with the CCPA is laying out the technical requirements for, and building, a system that fulfills requests from California consumers to:
- access data collected about them
- opt-out of future collection
- delete the last 12 months of data pertaining to them
- view the categories of information collected about them
This system will need to integrate with existing data storage infrastructure, inform third-party vendors of data that must be deleted, and provide a user-friendly experience for consumers who seek to exercise their rights with your company.
Following these five steps should put your organization on the path to CCPA compliance. If you have additional questions, or want to work together to help your business comply with privacy laws, please reach out to Evolytics. We’re happy to help!