Chapter 4: Staying CCPA Compliant

When it comes to CCPA Compliance, most of the work is front-loaded at the "getting compliant" stage, but that doesn't mean it stops there. CCPA Compliance is an ongoing process that requires ongoing efforts and vigilance. This translates into two sets of responsibilities for businesses: responding to consumers' privacy requests as they come in and keeping the privacy program up to date as laws and business practices change.

While the time investment required for staying CCPA compliant may be less than what is needed to become compliant in the first place, these tasks are arguably more important. It's a good idea for businesses to create a Privacy Team to handle the new responsibilities. This team should include a person or group that stays current on any changes to the law and takes charge of keeping the business compliant. The team also needs people who are trained and authorized to process consumer requests.

Responding to Consumer Requests

As consumer data privacy requests come in, businesses must respond to them in a timely manner. If the business has already done the hard work of creating a complete data map and drafted procedures for handling each request type, responding to requests should be straightforward. The Privacy Team may need greater access than tradiional customer support staff because they must be able to retrieve and delete personal information flow through opt-out requests to service providers. It is important to respond to each request before their deadline.

Quarterly CCPA Maintenance

On a quarterly basis, the Privacy Team needs to check in and make sure the company's privacy program is running smoothly. Regular tasks include:

  • Reviewing the privacy inbox to see if there are any outstanding requests
  • Making sure all questions and concerns in the privacy inbox have been answered
  • Confirming that the company is complying with past opt-out requests
  • Ensuring that new employees handling privacy requests have received CCPA training
  • Adding or removing vendors from the data map

It is this last task that may take more time, as onboarding vendors is always a labor-intensive process. In order to properly handle consumers' personal information, the Privacy Team must read the new vendors' contracts in full and determine whether they qualify as a CCPA service provider. Existing vendors may also have made important changes to their Terms of Service or their Data Processing Agreements (DPA) since the data map was created. Compliance software and other subscription services make this work much easier by keeping up with the latest changes.

Annual CCPA Maintenance

Annually, the Privacy Team must perform a few additional CCPA compliance maintenance tasks.

  • Review your data map and update your information collection and disclosure practices if necessary. For example, you may have stopped certain kinds of personal data collection but added others.
  • Update your main privacy policy to reflect any changes to the data map. The CCPA requires this annual review of the privacy policy.
  • Conduct a point-of-collection audit to see if your business is collecting information from consumers at any new places on its website. If so, add privacy policy links where necessary.
  • Review your request-handling instructions and update them if anything has changed about your data storage and retention practices.
  • Refresh your organization's privacy documents where needed, such as replacing outdated DPAs with new ones that vendors may have issued in the past year.
  • Stay updated on any changes to the privacy law and compliance landscape.

Keeping up with the latest changes to the law can be a complex and time-consuming task. The CCPA has already gone through multiple rounds of proposed regulatory changes and the Consumer Privacy Rights Act (CPRA) made major alterations to the original law which went into effect in 2023. Subscribing to data privacy newsletters or staying up to date automatically with compliance software will significantly lessen the burden and help avoid costly mistakes.

With a well-planned CCPA compliance strategy and up-to-date tools, these periodic maintenance tasks are easy to manage. Your Privacy Team should be able to quickly check them off and get back to their regular duties.

Next: Getting Started with CCPA Compliance

Having learned the basics of the CCPA and what is required for compliance, the next step is to get the project moving forward at your business. In the next chapter, "Getting Started with CCPA Compliance," learn about your different options and the investment required to become fully compliant.