The California Consumer Privacy Act is here. Businesses around the nation must now take action to protect new legal privacy rights granted to California residents. As with any new compliance regime, dotting the i’s and crossing the t’s for CCPA requires a careful review of business practices. Now that the dust is settling on initial compliance efforts, many organizations find themselves at the perfect point to assess the effectiveness of their CCPA controls.
While it technically applies only to California residents, CCPA is likely to spark a wave of similar legislation in other states. California was the first state to introduce a data breach notification law in 2002. Today, nearly two decades later, there are similar laws on the books in every state. With this trend in mind, businesses should expect to scale these responses to their operations nationwide.
Organizations should consider the following when determining their current CCPA compliance status.
Accurately determine the scope of compliance
If an organization has not yet begun CCPA compliance efforts, believing it is outside the scope of compliance, make sure this assumption is valid. CCPA applies to most for-profit organizations that do business in the state of California and collect the personal information of California residents. Note, CCPA does exempt businesses with less than $25 million in revenue that handle data for less than 50,000 consumers and derive less than half their revenue from selling personal information.
Map all CCPA-covered data elements
CCPA includes broad requirements that cover almost all personally identifiable information (PII). To remain compliant, organizations should conduct accurate mapping to understand where PII is located.
Conduct mandatory CCPA training
Businesses covered by CCPA are required to train employees who handle customer inquiries on the businesses’ obligations under CCPA. This training must include procedures for responding to customer inquiries about exercising their privacy rights.
Implement mechanisms to handle consumer privacy requests
CCPA grants consumers the right to access the personal information a business has collected about them. Under some circumstances, they may request that the business delete that information. Responses to these requests must be timely and occur within 45 to 90 days. The business must also provide data in a readily usable format.
Simplify consumer privacy request mechanisms
Many businesses are seeing an influx of CCPA requests from consumers exercising their new rights. While this initial flood of requests may not be representative of the number of requests that businesses will receive on an ongoing basis, the CCPA process is not going to go away. With a few months of experience under their belts, businesses should examine the processes they have in place to handle these requests and see if they can reduce costs by streamlining and automating responses to consumers.