Preparing for the CCPA: A 6-step guide

Next year, organizations across the U.S. will have a new law to contend with when collecting personal data – the CCPA (California Consumer Privacy Act).

Under the new rules, which take effect from January 1, 2020, organizations must tell California residents when their personal data is being collected and what it’s being used for.

Meanwhile, individuals have the right to:

  • Access the personal information organizations store on them
  • Request that organizations delete their personal data
  • Request that organizations don’t sell their personal data to third parties

So, what do organizations need to do over the next few months to ensure they’re ready to meet these requirements? Take a look at our six-step guide to find out.

1. Check whether the CCPA applies to you

Your first task is to assess whether you are subject to the CCPA. This will be the case if you do business in California (regardless of where you are based) and:

  • Have a gross annual turnover of $25 million or more;
  • Buy, receive, sell, or share the personal data of 50,000 or more consumers; or
  • Derive 50% of more of your annual revenue from selling consumers’ data.

This makes the CCPA less extensive than, say, the EU’s GDPR (General Data Protection Regulation), which applies to any organization that collects EU residents’ personal data, or New York’s recently passed SHIELD (Stop Hacks and Improve Electronic Data Security) Act, which applies to any New York-based organization.

By contrast, the CCPA leaves enough room to ensure that most small organizations are exempt. If you’re unsure whether any of these criteria apply to you, you should consult with management.

2. Secure management buy-in

Assuming that the CCPA does apply to your organization, the next step is to make sure senior staff are aware of your compliance requirements.

It will take time and resources to meet these requirements, so you’ll need management’s approval before you can go ahead with the necessary changes.

3. Assemble a project team

It’s always preferable to have a team overseeing your compliance project rather than tackling it piecemeal. This allows you to have a more focused plan where everybody knows their responsibilities.

The team should consist of a leader with a well-rounded knowledge of data privacy, and a cross-departmental group of employees to provide insight into various parts of the organization.

4.  Map your data

There are two reasons to map your data. First, you need a clear idea of how personal information flows through your organization to be able to quickly locate individuals’ data when they ask to review or amend it.

Second, a data map might reveal ways in which you can streamline data flows, which can make it easier to meet individuals’ requests within the allocated time frame.

5. Review data retention schedules

Organizations are required to explain to individuals why they are collecting their personal data. They must also acknowledge that their stated purpose will be valid for a set length of time.

For example, if you are collecting data to fulfill a contract, you should only keep the data for the duration of the contract.

When you document the purpose for the personal data you store, you must therefore also note how long you will be keeping it and make plans to dispose of it.

6. Document privacy compliance activities

You must always keep a record of the steps you are taking to ensure CCPA compliance. Documentation can save you in the event of an investigation, because it helps prove that you had processes in place to meet your requirements.

Likewise, documentation is essential for auditing purposes, as it gives you something to work with when reviewing your compliance practices.

Start preparing now

Although the CCPA doesn’t take effect until the new year, there’s a lot of work you’ll need to do by then, so you should get started as soon as possible.

You can find out more about how to prepare with The California Consumer Privacy Act (CCPA): An implementation guide.

This handbook, written by the attorney and GRC consultant Preston Bukaty, explains the CCPA’s requirements in simple terms and how organizations can implement strategies to comply with its rules.

Find out more >>