On January 1, 2020, the California Consumer Privacy Act (“CCPA”) went into effect, placing a new compliance burden on companies for the way they gather, store, and disseminate information.
Passed to provide more power to consumers to protect their identity, the CCPA provides a mechanism for California residents to identify what data is being collected from them, how it is stored and shared, and request it to be deleted.
The Act also places requirements on businesses to make changes to their compliance policies to support these new consumer rights. For this reason, it is imperative that CIOs familiarize themselves with CCPA, identify which section of the law applies to them, and determine how to prepare for and stay in compliance.
How CIOs can Prepare
It is crucial for CIOs to carefully analyze this new law in determining the CCPA’s impact on their business, examine the requirements of the law and penalties for violations, and evaluate their company’s readiness for compliance and strategy for minimizing risk.
Specifically, a business that collects consumer information is required to:
- Inform consumers about what personal information is collected
- Inform consumers about how their personal information will be used
- Identify the categories of personal information the company has collected
- Identify the categories of sources where the information is collected
- Disclose the purpose of collecting a consumer’s personal information
- Disclose the categories of third parties with whom the information is shared
- Identify the specific pieces of personal information collected from consumers
Therefore, CIOs must be proactive in identifying what part of the law relates to their business and determine how each component applies to daily operations.
Here are some points to consider when preparing for compliance with the CCPA:
Determine if Your Business is Required to be Compliant with CCPA
The first action you should undertake is determining if the law applies to your business and if you need to be compliant. This determination could be a challenge if you do not have the right data.
In particular, CIOs find it hard to determine what categories of information their company collects and how that personal information is processed and used.
In asking a few questions, businesses can determine if they fall under the auspices of the law:
- Do you conduct business in California?
- Do you collect any California resident’s personal information, or does someone else collect that information on your behalf?
- Do you generate annual gross revenue above 25 million dollars?
- Do you annually buy, sell, receive for commercial purposes, or share for commercial purposes the personal information of 50,000 or more California consumers aged 16 or over?
- Do you alone, or jointly with another entity, determine the purposes and means of processing of consumers’ personal information?
If you answered in the affirmative to some of these questions, then you will need to develop a strategy for determining just how much data you collect and whether or not it is applicable to the law.
In making this determination, a company typically deploys a Data Mapping analysis, along with a Data Protection Impact Assessment (DPIA) to determine how much data their organization collects and how it uses that information.
The information gleaned from the DPIA provides insight and assists in understanding how to go about meeting compliance requirements. Here are some tips for dissecting the data and determining the level of compliance required of your business:
Understand and Define the Information Flow
Follow the information flow into the company and identify the lifecycle of that information to minimize what data needs to be collected. This process includes identifying how data arrives from inside California and moves out of state, or if it is gathered from or shared with outside suppliers or vendors.
You should also identify how information is transferred internally or externally and if that information flow is governed by your company’s security procedures.
Finally, all people with access to personal information must be trained on their requirements under the law.
Break Down the Information from Your Data Mapping Analysis
First, identify the type of data being collected and examine what category it falls into. Identify what employees come in contact with personal data and how the data is stored and the security of where it is stored. Identify the transfer methods for the data, and how the data was collected from the consumer. Identify the information flow internally within the organization and who is responsible for that information at each stage and their access level.
Design and Implement Security Controls
Once the data flow is identified and defined through the DPIA analysis, it is important to put in place appropriate policies and procedures that control how personal information is handled and controlling who has access to that data.
A company can also put in place various types of encryption techniques for personal information that shields certain data from being viewed by unauthorized individuals or from being compromised through a database hack. There are ways to do this so that no matter how the data travels through the company, in any format, there are controls in place that keep it secure and protected.
Understanding Your Obligations Under CCPA
After you have identified that you indeed fall under the Act’s requirements through the collection of personal data, it is critical to understand the obligations applicable to your company under the law.
Study up on consumer rights and the protections provided under the law, and develop a compliance strategy for your organization that provides a pathway for becoming compliant. Since the law does not currently have a regulatory body responsible for compliance oversight, it is the responsibility of the organization in determining which requirements apply and what policies need to be in place to ensure proper security protocols, and that authorized employees are handling consumer data appropriately.
After going through these compliance check procedures, the CIO should have a fairly strong understanding of how data is processed, how the business uses that personal information, the information lifecycle and who administers the data, and the risks that come with non-compliance.
This information can now be utilized to develop a well-defined CCPA compliance strategy and identify all the risks and roadblocks that could hinder compliance and open the company up to violations.
Moving the Process Forward
Now that you have a better understanding of determining if CCPA applies to your organization, it is important to have a well-constructed plan on moving forward with a practical strategy for implementing compliance.
Here are some additional steps to consider when developing a comprehensive compliance plan:
- Create a privacy model and plan for taking steps to meet CCPA compliance requirements
- Update policies and procedures to include CCPA’s requirements with specific attention to California consumer rights. This includes opt-in/opt-out rights pages on all websites your organization controls.
- Create external procedures that allow consumers to opt-out of data collection, along with internal procedures for how to handle consumer requests
- Create toll-free phone numbers and emails addresses specifically to cater to consumers wishing to request removal or deletion of personal information
- Create strong security measures to protect and safeguard consumer personal information, and access mechanisms to control the authorized use of data
- Create processes that enable the company to reply to consumer requests within the required 45-day timeframe
- Create processes to inform third-party partners of any consumer data requests that are made of your company
- Develop policies and procedures to handle any unexpected incidents, such as a data breach, that define how the company mitigates damages
- Train your employees to understand CCPA requirements and explain how your organization informs consumers of their rights under the law
While the CCPA is California’s version of a data privacy law, many countries have begun revising existing privacy laws or creating new laws that govern now personal consumer information is gathered and disseminated.
With data security breaches becoming more prevalent around the world, more emphasis is being placed on developing strong regulatory rules on the handling of consumer information. It is critical for CIOs to understand these new laws and take proactive steps towards developing internal process to ensure compliance.