1. Start Now
LEARN MORE
Begin developing a CCPA compliance strategy now. The CCPA will take effect January 1, 2020. Don’t wait until the holidays; create a plan now that accounts for company meetings, holidays, and other initiatives.
8 Steps to CCPA Compliance
Achieve CCPA compliance with these eight steps. Meeting CCPA requirements can also prepare you for future CPRA compliance.
CCPA compliance isn’t business as usual
Compliance with the California Consumer Privacy Act requires ongoing maintenance and monitoring. To keep professionals updated on the latest news and action items for the CCPA, we produce timely and helpful articles.
2. Collaborate with your team, and come up with a plan of attack.
LEARN MORE
Identify a lead sponsor and cross-functional team. Complying with CCPA will require input initially and on an ongoing basis with departments such as marketing, product, IT, HR, finance, customer support, security, privacy, and legal.
Identify the resources needed (such as software tools, attorneys, and consultants)required to help with compliance.
Establish and/or review privacy training. As employees move between roles, it will be imperative to train employees and create a standard operating procedure for honoring individual rights.
3. Get to know your data.
LEARN MORE
Start the data mapping process. Understand the data you collect that qualifies as personal information under the CCPA. Where do you host your data (including with any third parties), and for what purpose is it used? This exercise is especially crucial to determine if you collect and sell data on children. If so, data collected on children under the age of 13 requires opt in with parental consent. Children 13-16 also requires consent directly from the child.4.Understand (and create processes to handle) the individual rights of disclosure, access, and deletion.
LEARN MORE
An individual has the right to understand details regarding how their data is processed (disclosure) and the right to access the categories of personal information collected. An individual also has the right to deletion; if any consumer requests their personal data be deleted, a business must delete all records (with some exceptions) of a consumer and direct service providers to do the same. This step may be the most complex under CCPA to implement. Businesses will need to establish training, processes and procedures and identify third parties that need to be involved to ensure compliance.5. Create a clear path and process for an individual to opt out of selling personal information.
LEARN MORE
Individual rights are a key aspect of CCPA.
An individual also has the right to opt out from the sale* of personal information. Businesses selling PI will need to put controls in place to manage the opt-out requests and also a process to capture subsequent authorization if the consumer changes their mind. One of the controls CCPA mandates is that businesses create a separate “Do Not Sell My Personal Information” webpage with an obvious path from their homepage that directs consumers to opt out of the sale of their personal information.
*Selling is broadly defined under the CCPA: “selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to another business or a third party for monetary or other valuable consideration.”
6. Establish and/or strengthen security measures.
LEARN MORE
Understand the full lifecycle of a data record. CCPA requires ‘reasonable’ security measures, and performing a thorough privacy and security assessment for each service provider will help mitigate any mishandling of personal data.7. Update Privacy Notice
LEARN MORE
Transparency is critical under CCPA.
Update your privacy notices to specifically state what data is collected, explain the purpose for the data’s use, identify third parties with which that data is shared, and communicate the rights available to an individual about their personal data.
8. Prepare for the future of privacy laws and regulations.
LEARN MORE
New privacy regulations will continue to roll out. Already, 10+ states are evaluating a law similar to CCPA, and Brazil’s General Personal Data Protection Act (Lei Geral de Proteção de Dados or LGPD) takes effect in August 2020. Create adaptive and agile processes to help your company remain both compliant and efficient in the wake of new privacy legislation.
We believe privacy is just good business.
At Red Clover Advisors, we help businesses establish confidence with their customers by developing a secure online data strategy they can count on. Our job is to simplify privacy practices so your business can gain a competitive advantage through trust.
Resources
Red Clover Advisors is a certified Women’s Business Enterprise.
