Key Steps to CCPA Compliance Solution for Your Firm

The California Consumer Privacy Act (CCPA) is the first state-wide data privacy regulation that governs the processing and sale of personal information of California residents by the organizations.

It came into force with effect from 1^st of January 2020. It is the first of its kind and the most recent cookie law passed by the State of California in response to the increased role of personal data in business practices and privacy implications.

This statue intents to enhance the consumer rights in the privacy world along with providing them the insights of the use of their personal information. The bill was passed by the California State Legislature and signed into law by Jerry Brown, Governor of California, on June 28, 2018, to amend Part 4 of Division 3 of the California Civil Code.

If an organization has implemented the GDPR program, it should be ready to implement some extra steps for CCPA. If not, we have put together all the important steps to comply with CCPA.

The CCPA protects any natural person who is a California resident. Natural person here means individual human being as opposed to legal person which also includes private businesses or public governments.

The law provides California consumers with a right to know the personal information is collected about them, they can also ask for the copy of the same or they can even ask to opt out of that information being sold.

They can also sue any organization for data breach affecting their personal information.

You can check whether you fall under the scope of CCPA by using these criteria:

Section 1798.140(c) Businesses are obligated to take steps to comply with the consumers’ rights if the businesses collect personal information from California and do business in the state (whether they have a physical presence in California or not) if any of the following three additional thresholds apply. That is, the business:

1. Has annual gross revenues more than twenty-five million dollars ($25,000,000); or
2. Alone or in combination, annually buys, receives for the business’s commercial purposes, sells, or shares for commercial purposes, alone or in combination, the personal information of 50,000 or more consumers, households, or devices; or
3. Derives 50% or more of its annual revenues from selling consumers’ personal information.

Your first step is to identify if the law affects you. There are many defenses available including information subject to the Gramm-Leach-Bliley Act (GLBA).

All the grey areas of various such regulations are covered under this Act. For example: Financial institutions should keep in mind, that the CCPA is much broader than the GLBA. There will be types of personal information not covered by the GLBA, such as data obtained through webpage tracking, which will now fall under CCPA protection.

Once you make sure that the CCPA applies to your organization, your next step is to begin mapping the customer data you collect.

There are multiple streams from where the data enters the pipelines of your organization’s system, it is very important to understand the source, destination, usage, etc. so that you can better organize, access, analyze or protect it. Without an accurate and transparent inventory, it is quite challenging to identify and mitigate any underlying risk, which in turn makes it more difficult to identify the controls required to protect your valuable information assets.

An easy way out is to start answering these few questions:

• What personal data do you currently collect?
• What are your methods for data collection?
• Where and how do you store this data?
• Do you share the data you collect? If so, with whom?
• Do you sell the data, provide in exchange for a service, or used for a different purpose?

Perform a data inventory, so you have an auditable record of your data flows across your enterprise, like a data roadmap.

Perform a risk assessment of the various data flows identified in the inventory and measure your data practices. Many organizations are not aware of the data they own, the scope or where is data located. By getting a proper insight and understanding of your data and its associated risks, it’ll be much easier to get a good sense of impact in the context of CCPA.

Bundled with intelligence to uncover and mitigate the privacy risks associated with the processing of personal data.

A DPIA is a process designed to help you systematically analyze, identify, and minimize the data protection risks of a project or plan. It is a key part of your accountability obligations under the GDPR, and when done properly helps you assess and demonstrate how you comply with all your data protection obligations.

Determine high-risk processing activities for information pertaining to financial, healthcare, or children’s records.

Mitigate the identified risks in the various phases of the privacy program through technical and security measures, governance, and vendor management.

• By irreversibly masking personally identifiable information, this data becomes de-identified and is no longer considered personal information under CCPA or GDPR.
• Also make sure vendors protect their data and follow the CCPA requirements. There is certain verbiage that needs to be in your vendor contract to shift liability to them for their failure to comply with the CCPA. Lastly, train everyone in your company who collects personal information.

Your organization should be able to receive and respond to the consumer requests. You must have a step-by-step procedure in place that dictates how your teams will handle these inquiries.

CCPA requests must be answered within 45 days and free of charge.

Work with your in-house personnel to decide how you will provide these types of services:

• Provide copies of personal information on consumer requests
• Delete the personal information on consumer requests
• Opt-out of sale of personal information on consumer requests
• Explain what categories of personal information your company sells

Write down all the steps required under CCPA and in addition to recording them, you should also make sure your teams, especially those in public-facing roles, know how to respond.

Maintain an auditable record of your privacy program by keeping track of all the phases. You can use this in future to benchmark for the upcoming year or apply this to new lines of business that will help you easily update the phases that are necessary.

Audit data analytics involves the analysis of complete sets of data to identify anomalies and trends for further investigation, as well as to provide audit evidence.