CCPA Roadmap for Compliance
The California Consumer Privacy Act will go into effect on January 1, 2020, which gives organizations who have yet to start their compliance efforts less than three months to prepare for the enforcement of the new data privacy law. While ensuring compliance with a new legal requirement is never easy and is often stressful, we’ve come up with seven steps to follow that can act as a roadmap for CCPA compliance.
Preparing for CCPA: 7 Steps You Need to Follow
1. Determine Applicability
One of the major pitfalls that we saw around the enforcement deadline of the EU’s GDPR is that many organizations did not know if the law applied to them because of the ambiguous nature of the law. However, with CCPA, there are set guidelines that define who must comply with the law. Specifically, CCPA applies to for-profit businesses that do business in California, collect California consumers’ personal information, and that meet any of the criteria:
- Have annual gross revenues of over $25,000,000
- Buy, sell, or share the personal information of 50,000+ consumers per year
- Derive 50% or more of their annual revenues from selling consumers’ personal information
If you’ve determined that CCPA does, in fact, apply to your organization, follow the next three steps.
2. Get Executive Support
Having an executive team on-board with compliance is absolutely critical. After all, if there isn’t a tone for compliance set at the top of the organization, why would anyone else think that compliance needs to be engrained in the company culture? Getting your executives on board with CCPA compliance will be the catalyst for ensuring that compliance efforts go smoothly, but it doesn’t stop there.Executives should be sure that they appoint a person or group of people to oversee compliance efforts – someone that fully understands the requirements of the law and can hold the organization accountable for maintaining compliance. Also, executives need to give the person or group responsible for CCPA implementation the right kind and amount of resources necessary to pursue compliance. Examples of CCPA compliance resources include: data mapping tools, training, data rights software applications, compliance consulting, and time.
3. Review Data Collection and Retention Processes
When was the last time your organization evaluated the type of data you collect or why you’re even collecting it in the first place? Is the data you collect absolutely necessary for your marketing efforts? Does all of the data you collect fuel the services you provide? Are there any data sets that aren’t needed? Reviewing your data collection processes will help you identify areas of potential weakness – like having consumers’ personal information stored that doesn’t actually need to be there or collecting information that you don’t actually use – all of which could prevent you from complying with CCPA. To more efficiently review your data collection processes, we suggest data mapping, which includes asking and answering the following questions:
- What personal information does your organization collect?
- How does your organization collect that personal information?
- Where and how is the personal information stored?
- Where and to whom is the personal information shared?
- How is the personal information transferred?
4. Update Your Privacy Policy
It’s not enough to have just a GDPR-compliant privacy policy; CCPA’s privacy disclosures include some unique and particularly precise requirements. To ensure CCPA compliance, then, you’ll need to update your privacy policy to make sure that it includes the following…
- A description of the new rights afforded to California residents
- A description of the methods for submitting a personal information or erasure request
- A link to an opt-out page on your company’s website
- A list of all of the categories of personal information that have been collecting within the past 12 months
- The sources of each category of personal information
- All of the purposes for using each category of collected information
- A list of the categories of personal information sold in the past 12 months
- A list of the categories of personal information disclosed for a business purpose in the past 12 months
5. Go Through a Gap Analysis
At KirkpatrickPrice, we always recommend that our clients go through a gap analysis before beginning an audit engagement. Why? Because a gap analysis provides insight into any operational, reporting, and compliance gaps that could hinder your CCPA compliance. A gap analysis is especially important with audits covering something as new as CCPA. Ultimately, a gap analysis asks and answers, “How is my organization doing compared to what’s required?”
6. Complete Remediation
After you’ve undergone a thorough gap analysis, you’ll have to remediate any and all findings before an audit can begin. At KirkpatrickPrice, we provide a Remediation Project Plan that consists of observed gaps, recommended remediation strategies, the required level of effort for remediation, and a remediation timeline. For example, one of your gaps might be that your organization does not currently have any contract that address data processing requirements under the provisions of CCPA (CCPA Section 1798.140(w)). A recommended remediation strategy would be to develop a policy that requires contracting whenever personal data is involved, which would require high-level effort over a 45-day period.
7. Go Through a CCPA Audit
Once you’ve completed the previous six steps, you’ll be ready to undergo a CCPA audit by partnering with a KirkpatrickPrice Privacy Expert to verify your compliance with the law.
At KirkpatrickPrice, we’re committed to helping our clients ensure the security of their data by partnering with you to achieve your challenging compliance goals – including conquering CCPA compliance. If your organization must comply with CCPA, let’s talk about how our Privacy Specialists can help you.
More CCPA Resources
Core Components of CCPA
Best Practices for Data Privacy
Privacy Policies Built for CCPA Compliance
California Consumer Privacy Act vs. GDPR: What Your Business Needs to Know