Becoming CCPA Complaint

California Consumer Privacy Act (CCPA) enacted on Jan. 1, 2020 is the new Privacy Law created to protect the privacy rights of Californian citizens.  The Act, as we described in our article – (link to the first article), puts restrictions on companies on how they collect and use consumer data. The act requires companies to build in mechanisms that will ensure that CCPA requirements are met. This includes establishing methods of interaction with the customer and internally building mechanisms to handle the requests from the end-user. Some of the key mechanisms that you need to establish in the organization to interface with the end-user are:

• The organization shall put in place methods to provide the information on their data upon a request from the end-user. The systems shall allow the end-users an ability to see what personal data the organization have, make requests to understand how their information and data are managed, provide rights to sell it or request to remove all or a part of the data, etc. The organization shall, at a minimum, put in place a Toll-free number and a web portal to enable the end-users to exercise their rights.
• The information requested from the end-user shall be delivered to the customer within 45 days and no charges shall be levied for such a service
• The organization shall verify the customer before disclosing information.
• Information shall cover 12 months period preceding the request.
• Companies also need to train their employees on CCPA and non-discrimination policy, in particular, to ensure they understand the CCPA principles and ‘Right to equal services and prices’ is followed.

Gap Analysis and Remediation

While compliance to CCPA seems like few simple steps to follow, especially if you look at the mechanisms that you need to put in place for interaction with the end-user and most companies will solely focus on this. But, a lot of effort is required especially on your internal data to ensure the customer is given the right information and all his requests are fulfilled. Creating a database of customers which includes information on who is using it within the company, the purpose of the data being collected, and what are the rights granted on the data is the first step towards this.

A detailed gap analysis shall be conducted by the organization to understand the consumer data that is collected and used. The steps that you need to take to conduct a gap analysis are:

• Data and Process Mapping and dataflow analysis: This requires an organization to understand their data and process mapping, data sources and how the data flows.
• Creating a compliance program (and relevant tasks for alignment): Planning for the compliance program and listing all the tasks required to meet the CCPA requirements would be the next step.
• Reviewing the current consent mechanism in place: The organization needs to review the consent mechanisms and understand what processing right the current consent mechanism grants.
• Reviewing the data access mechanisms: Next, an organization need to understand how the data is accessed and who accesses and uses the data.
• Creating data elements inventory: Next, create a data elements table to define the purpose of data, who uses the data, rights granted on the data, etc.
• Reviewing the identification mechanism: upon receiving a data access request by a consumer, the organization must put in place an identification mechanism ensuring that the consumer is identified.

Once gap analysis identifies key data elements, the next step required is remediation. This will include:

• Review of existing policies: Conduct a review of Third-party agreements, Privacy Policies, Privacy Notices, data breach incidence policy, etc against the CCPA requirements
• Create relevant policies and procedures: Update existing policies to comply with CCPA or draft new policies
• Training and Awareness Program: Run a training and awareness program within the organization for employees to clearly understand CCPA requirements and the changes done to procedures/new procedures created
• Privacy by design: Build privacy into the engineering process. This means privacy and data protection is handled at each step including internal projects, software or product development, IT systems, etc. for each personal data that is processed by the organization.
• Perform PIA (Privacy Risk Assessment): Carry out a risk assessment on the company’s processes to determine how these processes may compromise or impact the privacy of personally identifiable information (PII) the company collects or uses.
• Review/create an opt-out mechanism: a basic right of all consumers protected under the CCPA is the right to opt-out of any service and mailing list.

CCPA compliance may seem like an enormous task, but with the right guidance and experienced consultants to handle this, this can be done quickly and with ease. Companies need to start complying to the CCPA requirements to avoid any unnecessary penalties and financial losses in future.  Act now and begin your CCPA compliance journey.