The California Consumer Privacy Act (CCPA) of 2018, which takes effect on January 1, 2020, is intended to protect the personal data of consumers who reside in California.
If your organization, regardless of its location, is collecting personally-identifiable information (PII) from California residents, this law affects you. It is prudent to take steps to prepare for the CCPA and begin to roll out compliance measures.
Examples of data covered by the CCPA include:
- Identifying information such as names, addresses, IP addresses, and email addresses
- Internet activity records (including browsing and search history)
- Biometric information
- Commercial information
- Employment-related information
The CCPA is enacting a 12-month retroactive window, which means organizations should already have their data mapping and records of personal information in place. If your organization is not yet fully prepared, here are ten steps to help you get there.
10 Steps to Prepare for the California Consumer Privacy Act
1. Understand your data. Evaluate the categories of personal information collected by your organization. Data management planning is essential so you know where and how all your data is stored. If your data is housed in multiple locations, plan to consolidate.
2. Analyze your data storage structures. Assess the capacity for cross-database searching at your organization. Ensuring that all of your organization’s consumer data is searchable means data retrieval will be all-inclusive when consumer requests come in.
3. Draft or update information security policies to maintain alignment with the CCPA. Ensure that organizational policies are in place that support the new CCPA. For example, you will need to document how you are protecting personally-identifiable information (PII).
4. Develop a workflow to ensure compliance with the CCPA timelines for data access requests. The CCPA requires organizations to provide consumer data free of charge, electronically or by mail, within 45 days.
5. Ensure your organization’s ability to provide all requested consumer data in a portable electronic format. By providing requests in a portable format, consumers will have the ability to transmit their information to other entities. This ability is mandated by the CCPA.
6. Be able to disclose up to the previous 12 months of collected consumer information as mandated by the CCPA. Yes, the CCPA does not become law until January 1, 2020, but consumer data starting from January 1, 2019 onwards must be accessible by your organization. This begins the requirement of ensuring a rolling 12 month window of accessible data can be reported upon. Examples include, but are not limited to, the description of the consumer’s rights and methods for submitting requests for information or categories of personal information your organization has collected, sold, or disclosed in the past 12 months.
7. Provide multiple outlets for consumers to exercise their data access rights. For instance, provide a toll-free phone number, email address, and website for consumers to use for CCPA-related requests.
8. Prepare for compliance with consumer data deletion requests. The CCPA gives consumers the option to request deletion of personal data. Organization must include data deletion rights as part of online privacy notices. You’ll need to delete the data from all of your systems, so an accurate data inventory is critical.
9. Provide consumers with the option of opting-out from having their personal information sold to third parties. Consumers have the right to opt-out of their data being sold at any time. Your organization must provide an accessible location for consumers to understand (1) where their data is collected from, (2) that their data may be sold, and (3) how to opt-out. This includes a link on homepages titled “Do Not Sell My Personal Information.”
10. Provide training for employees who handle consumer data. Individuals responsible for handling inquiries must be informed of consumers’ rights and how to direct consumers to exercise those rights. It is essential that your organization have a change management process in place to ensure that employees are trained on the parameters of using personal information collected from a consumer request as information solely to verify that request.
These ten recommendations are guideposts to help your organization get started on the path to CCPA compliance. Alignment with these data, information, and knowledge management best practices will provide a strong foundation for moving forward. If you have questions as to whether or not your organization falls under the scope of the CCPA, it is best to consult your legal team.