Time is Running Out: 5 Steps to Prepare for the CCPA - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
IoT
Data Management
Commentary
2/11/2020
07:30 AM
Caitlin Fennessy, Research Director, International Association of Privacy Professionals
Caitlin Fennessy, Research Director, International Association of Privacy Professionals
Commentary
50%
50%

Time is Running Out: 5 Steps to Prepare for the CCPA

The nation's most comprehensive data privacy law has gone into effect and enforcement is just around the corner. Worried about compliance? Follow these guidelines.

Image: Pixabay
Image: Pixabay

On January 1, the California Consumer Protection Act (CCPA) went into effect, creating new protections for the personal data of California residents and new requirements for the businesses that process it.

The CCPA is state-specific but applies to many businesses that may not consider themselves to be under the purview of California law. Here’s how to determine how the CCPA applies to your organization and take the proper steps toward compliance.

1. Determine who you are under the CCPA

You should first determine if and how the CCPA applies to your organization. Is your organization a covered business? If so, is it “selling” personal data? Are you classified as a service provider or a third party? What about your vendors? Might your organization be multiple of these?

Your organization is covered if it is a for-profit entity that does business in California, collects the personal information of California residents, determines the purposes and means of processing that information, and at least one of the following applies: 

  • Has annual gross revenues in excess of $25 million.
  • Annually buys, receives for the business’s commercial purposes, sells or shares for commercial purposes, the personal information of 50,000 or more consumers, households or devices.
  • Derives 50% or more of its annual revenues from selling consumers’ personal information.

To note, under the CCPA, the term “sell” is defined broadly to include many actions that your business may not have regarded as sales. For example, placement of a third-party cookie on your website to enable advertising could fall within scope, as well as allowing vendors to analyze data for their own purposes. The CCPA definition of personal information is broad and includes cookies, a device identifier, pixel tags, customer number, information linked to a household and more.

2. Update your vendor contracts

Updating vendor or customer contracts is critical to compliance and limiting liability. In fact, for a vendor to be classified as a service provider under the law, a contract must be in place. To avoid the requirements associated with the “sale” of personal information, the stated expectation in contracts and other communication with vendors going forward may become that vendors have not and will not “sell” personal information.

This article guides you through the nuances of determining whether your organization or vendors are classified as service providers or third parties.

3. Update your privacy policy

Covered businesses need to update privacy policies and other relevant disclosures to ensure consumers are provided the information required by the CCPA at the appropriate time. It is important to note that information regarding the categories of personal information to be collected and the purposes for which the categories of personal information shall be used must be provided to the consumer at or before the point of collection.

Regarding privacy policies, businesses must disclose the following: 

  • Descriptions of the rights to access and delete personal data, and how to obtain information about disclosures, opt-out of sales and not be discriminated against.
  • Methods for submitting requests for information, including a toll-free telephone number and a website address.
  • Categories of personal information collected in the past 12 months.
  • Categories of personal information sold or disclosed for a business purpose in the past 12 months or a statement that personal information is not sold or disclosed for a business purpose.
  • If personal information is sold, provide a link to the separate “Do Not Sell My Personal Information” webpage, which enables consumers to opt-out of the sale of their personal information.

4. Enable consumer requests, engagement and opt-out of data sales

Businesses need to create or confirm availability of processes to enable consumer requests. An important consideration at the outset is whether to adopt a global approach to consumer access requests or segment individuals depending on their location and the relevant legal requirements.

Immediate areas to enable include: 

  • Access to and deletion of personal data.
  • Opt-out of sales of personal information.
  • Opt-in to sales of personal information. Organizations selling personal information must create processes to enable opt-in consent for consumers between 13 and 16 years old and parental opt-in consent for those under 13.

5. Implement employee training

The CCPA requires that all individuals responsible for handling consumer inquiries about the business’s privacy practices or compliance with the law are informed of its requirements and how to direct consumers to exercise their rights.

Training on the law’s overall requirements, handling of access and deletion requests, and verification processes, as well as reasonable security practices (given the risk of harm caused by and private right of action associated with data breaches) are key areas to target.

With only 4% of firms considering themselves fully CCPA compliant by November 2019, there is a lot of work to be done in the new few months. Make sure you and your organization are ready, because July enforcements are just around the corner.

Caitlin Fennessy is Research Director at the International Association of Privacy Professionals (IAPP), where she helps to promote the privacy profession through empirical and qualitative research on privacy functions globally. Prior to joining the IAPP, Fennessy was the Privacy Shield Director at the US International Trade Administration. She has a master’s degree in public affairs from Princeton University and a bachelor’s degree in social policy from Northwestern University.

The InformationWeek community brings together IT practitioners and industry experts with IT advice, education, and opinions. We strive to highlight technology executives and subject matter experts and use their knowledge and experiences to help our audience of IT ... View Full Bio
We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
News
Top 10 Data and Analytics Trends for 2021
Jessica Davis, Senior Editor, Enterprise Apps,  11/13/2020
Commentary
Where Cloud Spending Might Grow in 2021 and Post-Pandemic
Joao-Pierre S. Ruth, Senior Writer,  11/19/2020
Slideshows
The Ever-Expanding List of C-Level Technology Positions
Cynthia Harvey, Freelance Journalist, InformationWeek,  11/10/2020
White Papers
Register for InformationWeek Newsletters
The State of Cloud Computing - Fall 2020
The State of Cloud Computing - Fall 2020
Download this report to compare how cloud usage and spending patterns have changed in 2020, and how respondents think they'll evolve over the next two years.
Video
Current Issue
Why Chatbots Are So Popular Right Now
In this IT Trend Report, you will learn more about why chatbots are gaining traction within businesses, particularly while a pandemic is impacting the world.
Slideshows
Flash Poll