If you’ve already determined that the California Consumer Privacy Act (CCPA) applies to your business, the next logical step is to ask, “Are we already CCPA compliant?” Obviously, any business owner or manager would prefer for this to be the case—it means you wouldn’t have to take any further action and could get back to running to your business. Unfortunately, it’s unlikely that your business’s current personal-data collection practices already match 100% with all of the CCPA requirements.
This quick CCPA compliance assessment will help you understand the current state of your business’s compliance with the California data privacy law. It’s not a substitute for legal advice or talking to a compliance expert, but it will give a general idea as to what changes, if any, you must make.
“Personal information” is broadly defined by the CCPA, and includes everything from browsing history to biometric information to IP addresses. It will be very difficult to meet this requirement without first creating a data map.
The CCPA gives Californians the right to know, right to delete, right to opt out of the sale of their personal information, and right to non-discrimination.
Deletion requests and requests to know must be verified by the business, with the level of verification depending on the personal information involved. You must provide clear instructions, and the process cannot be too burdensome.
Accomplishing this will require you to first classify all vendors to determine if they meet the CCPA definition of a “service provider.” Ideally, this information should also come from your data map.
At least one of these methods should be related to how you normally interact with consumers. I.e., if you normally interact with consumers online, you must provide an online contact method.
According to the CCPA’s definition, you may be selling personal information without realizing it. Common business practices such as using retargeting or behavioral advertising are considered selling.
The format and design should follow recognized industry standards such as the Web Content Accessibility Guidelines version 2.1.
This link should take the consumer to the page or section described above.
At least one of the two opt-out methods must be such a form.
Your business may be required to include the following notices.
In some limited circumstances, businesses may offer financial incentives to consumers for opting in to the sale of their personal information. If so, the business must disclose the details of these incentives.
If your business has knowledge that it sells personal information from consumers that are 15 or younger, it must provide information about how to obtain their consent.
If your business collects the personal information of more than 10 million consumers, it must provide additional information.
There are four different types of privacy requests that correspond to consumers’ rights under the CCPA: requests to know categories of personal information collected, requests to know specific pieces of personal information collected, requests to delete, and requests to opt out. Each of these request types has its own rules, requirements, and exemptions. This portion of checklist will help assess your business’s readiness to respond to privacy requests.
Without a thorough and up-to-date data map, it will be very difficult to know if you are fully complying with consumers’ requests.
At least one of the methods should relate to the way your business normally interacts with consumers.
While not necessarily required by the CCPA, it’s recommended to have all privacy requests and questions going to one inbox.
The level of verification needed varies by request type. Requests to know categories of personal information require less stringent verification than requests to know specific pieces of information. Similarly, deletion requests may vary depending on the type of consumer data to be deleted.
For security reasons, some types of personal information should not be disclosed in response to a request to know. These include social security numbers, passport numbers, account passwords, and more.
The CCPA contains a number of exceptions to the right to delete. Any data that fits in these categories should be identified in advance.
Businesses can retain personal information that is deidentified or in the aggregate, even if the consumer submits a deletion request.
Third parties and service providers also must comply with CCPA requests, but it is your business’s responsibility to forward those requests.
Businesses only have 15 days to respond to an opt-out request.
Making an opt-out request can’t require more steps than the process to opt in, and it can’t be designed in a way that discourages consumers from making the request.
Only the California Attorney General can take businesses to court over most CCPA violations, but the law does create a private right of action for consumers in the event of a data breach. If consumers’ nonencrypted and nonredacted personal information is subject to unauthorized access due to a business’s failure to implement reasonable security procedures, they can recover either actual damages or statutory damages of up to $750 per incident. Though the CCPA doesn’t define what reasonable security procedures are, here is some general guidance.
Given the law’s emphasis on encryption, this is the logical place to start.
As with any of these requirements, what is adequate will depend on the situation, including what personal information is involved.
Alarm systems, surveillance cameras, keycard access, etc.
When providing employees access to sensitive personal information, a background check may be a reasonable requirement.
Businesses should periodically update their system to close any gaps and prevent security breaches.
If you answered “no” to any of the questions above, then your business still has some work to do to get fully CCPA compliant.
Handling the project in-house is time-consuming and risky, while hiring a law firm or consultant is expensive. TrueVault Polaris is a software tool that automates the process, starting with data mapping and going all the way through responding to consumers’ privacy requests. Your business can be CCPA compliant in as little as a few days, and at a fraction of the cost of hiring a consultant.
Contact our team of compliance experts to learn more about TrueVault Polaris.
Disclaimer: This content is provided for general informational purposes only and does not constitute legal advice. This content is not a substitute for obtaining legal advice from a licensed attorney. The information on this page may be changed without notice and is not guaranteed to be complete, correct or up-to-date, and may not reflect the most current legal developments.