Is your organization on top of its requirements for the CCPA (California Consumer Privacy Act)?
The CCPA came into effect on January 1, and requires organizations to tell California residents when their personal data is being collected and what it’s being used for.
Consumers also have the right to:
- Access the personal information that organizations collect or process about them
- Request that organizations delete their personal data under certain circumstances
- Request that organizations don’t sell their personal data to third parties
What can you do to make sure you’re ready for the CCPA? Let’s take a look at five ways you can boost your compliance posture.
1. Data mapping
To accurately catalog information in external privacy policies, organizations must understand what personal data resides in their systems, both at rest and in transit.
This might not sound difficult, but it can be complicated in practice. You must create and maintain inventories through active operations and system changes.
Part of this process involves mapping the flow of personal information, from collection and use to deletion.
This will be a time-consuming activity – particularly so for organizations that have large, complicated business architecture. The more business areas are siloed, the more likely they are to use different services like Software as a Service platforms and CRM (customer relationship management) systems.
Information might also be stored in legacy systems or used by overlapping functions like sales, marketing, and customer support.
Organizations can minimize the risk of mistakes when completing this process by using dedicated software, such as our Data Flow Mapping Tool, which gives you a thorough understanding of the personal data your organization processes.
2. New individual rights to data access and deletion
Under the CCPA, California-based individuals have a right to access the personal data organizations process on them and to challenge the way that information is used. Specifically, they can ask organizations to delete personal data, provided there’s no overriding need to keep it.
Organizations must be prepared to meet those requests promptly, which means creating a process for receiving requests, verifying the identity of the data subject, and completing their request.
It may be beneficial to build an account portal where consumers can access and manage information on their own. However, organizations can’t force customers to create an account, so they must make other options available.
Another new right under the CCPA is the right to deletion. Section 105 states: “A consumer shall have the right to request that a business delete any personal information about the consumer which the business has collected from the consumer.”
Organizations will need to consider how they will manage these requests from a technical perspective. How can you delete the data? Is there a legitimate business need to retain it?
3. New individual right to opt out of data sales
Organizations such as ad brokers that sell personal information to third parties must prepare for an additional consumer right that applies specifically to them. As the CCPA states:
“A consumer shall have the right, at any time, to direct a business that sells personal information […] not to sell the consumer’s personal information. This right may be referred to as the right to opt-out.”
If a data subject exercises this right, the organization must ensure that their information is excluded from databases that will be sold to a third party.
Organizations that sell personal information should also prepare processes to manage flow-down requests to service providers.
4. Updating service level agreements with third-party service providers
In today’s era of Cloud computing, it’s not uncommon for organizations to rely on service providers to process personal information. HR and personnel information may be stored on a dedicated management platform, and customer data may reside on servers managed by companies like Amazon, Google, or Microsoft.
In these situations, the organization that collects the information, or that determines the purposes and means of processing, must understand how consumer requests flow down and are managed by service providers (i.e. the organization that processes personal information on behalf of another).
This might involve elements of contract management to ensure all standard agreements contain provisions relative to enforcing and responding to consumer requests.
Those agreements should also contain measures that ensure personal information is adequately protected. This can help reduce (or perhaps allocate) liability between organizations in the event of a data breach.
5. Remediation of information security gaps and system vulnerabilities
Section 150 of the CCPA states that organizations have a duty to implement and maintain “reasonable” security procedures and practices. How that term will be defined has yet to be articulated, and it might become a matter of Attorney General guidance and judicial case law.
In either case, the ultimate concern for organizations is the potential for lawsuits. As the CCPA states: “Any consumer whose personal information is subject to unauthorized access and exfiltration, theft, or disclosure can institute a civil action against the organization.”
Large data breaches could see thousands of plaintiffs in a class-action suit. This reiterates the importance of good internal security and contracts with business partners that address data security.
How IT Governance can help
The CCPA takes effect next year, and there’s a lot you’ll need to prepare. You can find out how to get started by reading The California Consumer Privacy Act (CCPA): An implementation guide.
This handbook, written by attorney and GRC consultant Preston Bukaty, explains the CCPA’s requirements in simple terms and how organizations can implement strategies to comply with its rules.
There’s more advice on how to prepare for the CCPA on our website, where you can browse our selection of books, training courses, and staff awareness solutions, as well as our CCPA gap analysis and consultancy services.