If you’ve already determined that the California Consumer Privacy Act (CCPA) applies to your business, the next logical step is to ask, “Are we already CCPA compliant?” Obviously, any business owner or manager would prefer for this to be the case—it means you wouldn’t have to take any further action and could get back to running to your business. Unfortunately, it’s unlikely that your business’s current personal-data collection practices already match 100% with all of the CCPA requirements.
CCPA compliance requires more than just posting a privacy policy; it requires businesses to keep track of consumers’ personal information in new, more systematic ways. This starts with creating a detailed data map that covers all of your business’s data collection points, storage locations, and disclosures to outside parties. Your business’s privacy policy is simply the public facing disclosure of your business’s privacy efforts. Much of what it takes to be compliant takes place behind the scenes.
This quick CCPA compliance assessment will help you understand the current state of your business’s compliance with the California data privacy law. It’s not a substitute for legal advice or talking to a compliance expert, but it will give a general idea as to what changes, if any, you must make.
Your business likely already has a privacy policy posted online, but the CCPA requires that it include some specific notices to California residents (“consumers”).
Does your current privacy policy:
“Personal information” is broadly defined by the CCPA, and includes everything from browsing history to biometric information to IP addresses. It will be very difficult to meet this requirement without first creating a data map.
The CCPA gives Californians the right to know, right to delete, right to opt out of the sale of their personal information, and right to non-discrimination.
Deletion requests and requests to know must be verified by the business, with the level of verification depending on the personal information involved. You must provide clear instructions, and the process cannot be too burdensome.
Businesses can, and should, verify the agent’s permission to act on behalf of the consumer. These verification procedures should also be included in the privacy policy.
Accomplishing this will require you to first classify all vendors to determine if they meet the CCPA definition of a “service provider.” Ideally, this information should also come from your data map.
At least one of these methods should be related to how you normally interact with consumers. I.e., if you normally interact with consumers online, you must provide an online contact method.
According to the CCPA’s definition, you may be selling personal information without realizing it. Common business practices such as using retargeting or behavioral advertising are considered selling.
The format and design should follow recognized industry standards such as the Web Content Accessibility Guidelines version 2.1.
This link should take the consumer to the page or section described above.
At least one of the two opt-out methods must be such a form.
Your business may be required to include the following notices.
In some limited circumstances, businesses may offer financial incentives to consumers for opting in to the sale of their personal information. If so, the business must disclose the details of these incentives.
If your business has knowledge that it sells personal information from consumers that are 15 or younger, it must provide information about how to obtain their consent.
If your business collects the personal information of more than 10 million consumers, it must provide additional information.
If you collect personal information at a physical store location, you must provide privacy notices there as well, include all information in your online privacy policy, and provide a toll-free number for making CCPA privacy requests.
There are four different types of privacy requests that correspond to consumers’ rights under the CCPA: requests to know categories of personal information collected, requests to know specific pieces of personal information collected, requests to delete, and requests to opt out. Each of these request types has its own rules, requirements, and exemptions. This portion of checklist will help assess your business’s readiness to respond to privacy requests.
Without a thorough and up-to-date data map, it will be very difficult to know if you are fully complying with consumers’ requests.
At least one of the methods should relate to the way your business normally interacts with consumers.
While not necessarily required by the CCPA, it’s recommended to have all privacy requests and questions going to one inbox.
The level of verification needed varies by request type. Requests to know categories of personal information require less stringent verification than requests to know specific pieces of information. Similarly, deletion requests may vary depending on the type of consumer data to be deleted.
For security reasons, some types of personal information should not be disclosed in response to a request to know. These include social security numbers, passport numbers, account passwords, and more.
The CCPA contains a number of exceptions to the right to delete. Any data that fits in these categories should be identified in advance.
Businesses can retain personal information that is deidentified or in the aggregate, even if the consumer submits a deletion request.
Third parties and service providers also must comply with CCPA requests, but it is your business’s responsibility to forward those requests.
Businesses only have 15 days to respond to an opt-out request.
Making an opt-out request can’t require more steps than the process to opt in, and it can’t be designed in a way that discourages consumers from making the request.
Only the California Attorney General can take businesses to court over most CCPA violations, but the law does create a private right of action for consumers in the event of a data breach. If consumers’ nonencrypted and nonredacted personal information is subject to unauthorized access due to a business’s failure to implement reasonable security procedures, they can recover either actual damages or statutory damages of up to $750 per incident. Though the CCPA doesn’t define what reasonable security procedures are, here is some general guidance.
Given the law’s emphasis on encryption, this is the logical place to start.
As with any of these requirements, what is adequate will depend on the situation, including what personal information is involved.
Alarm systems, surveillance cameras, keycard access, etc.
When providing employees access to sensitive personal information, a background check may be a reasonable requirement.
Businesses should periodically update their system to close any gaps and prevent security breaches.
If you answered “no” to any of the questions above, then your business still has some work to do to get fully CCPA compliant.
Handling the project in-house is time-consuming and risky, while hiring a law firm or consultant is expensive. TrueVault Polaris is a software tool that automates the process, starting with data mapping and going all the way through responding to consumers’ privacy requests. Your business can be CCPA compliant in as little as a few days, and at a fraction of the cost of hiring a consultant.
Contact our team of compliance experts to learn more about TrueVault Polaris.
Disclaimer: This content is provided for general informational purposes only and does not constitute legal advice. This content is not a substitute for obtaining legal advice from a licensed attorney. The information on this page may be changed without notice and is not guaranteed to be complete, correct or up-to-date, and may not reflect the most current legal developments.
Read our CCPA Guide to learn all about what the CCPA is and how to become CCPA compliant.
Open CCPA Guide ›Our attorney-designed software will step-by-step guide you through the compliance process from start to finish.
Request a Demo201 Mission Street, 12th Floor
San Francisco, CA 94105
Email: hello@truevault.com
2022 © All Rights Reserved. Privacy Policy | Terms of Use | California Privacy Notice