USA
Select regional store:

CCPA (California Consumer Privacy Act) Compliance Checklist

The CCPA (California Consumer Privacy Act) took effect on January 1, 2020, enhancing California residents’ privacy rights and providing protection to consumers concerning how their personal information is used.

The CCPA applies to legal entities that do business in California and collect Californian consumers’ personal information (irrespective of where those entities are based), and that fulfill certain criteria. It gives rights to the consumer, who now has a say in how and with which third parties their data can be shared.

Learn more about the CCPA’s requirements and how they could affect your organization

Free PDF: CCPA Compliance Checklist

To help organizations comply with the CCPA, we’ve created this simple compliance checklist to help you determine whether the CCPA applies to your organization and, if it does, provide an overview of what you need to do to comply with the law. Download your free copy of the CCPA compliance checklist today.

Download now

Before you get started: does the CCPA apply to your business?

The CCPA applies to any for-profit organization that does business in California and collects or determines the purposes and means of processing consumers’ personal information. In addition, it only applies to businesses that:

  • Have an annual gross revenue in excess of $25 million;
  • Annually buy, receive or share for commercial purposes, or sell personal information of 50,000 or more consumers, households, or devices; or
  • Derive 50% or more of their annual revenue from selling consumers’ personal information.

It is important to be aware that the CCPA applies not only to your organization but also to all organizations you do business with. There are other exceptions that you should familiarize yourself with.

Step 1: Obtain board-level support and establish accountability

Complying with the CCPA – and maintaining compliance – requires top-level support. It is essential that your organization’s board understands the law and its implications so that your compliance project receives the resources it needs in order to achieve long-term results.

What you should do:

  • Advise the board about privacy risks and the benefits of CCPA compliance. Download our free CCPA guide for further support.
  • Obtain management support for your CCPA compliance efforts. This will require securing the necessary resource and budget for your CCPA project.
  • Assign accountability (key roles and responsibilities) for CCPA compliance.

Further information:

The California Consumer Privacy Act (CCPA): An implementation guide

This book is the ideal resource for organizations that want to understand the CCPA and how to comply with it. It provides the reader with a comprehensive understanding of the CCPA and explains how businesses can implement strategies to comply. The guide covers the territorial and material jurisdiction of the CCPA, key definitions, roles, rights of the consumer, obligations of the business, security requirements, penalties, breach notifications, related laws, and future developments. It also includes the full text of the Act.

Buy now

Step 2: Identify your CPPA compliance gaps by conducting a detailed gap analysis

A CCPA gap analysis will help you understand how your current practices meet the CCPA’s requirements, as well as where they fall short. You can then prioritize the areas that must be addressed to comply with the law. Your gap analysis should cover governance, risk management, CCPA project  management, information security responsibility , roles and responsibilities, scope of compliance, process analysis, the PIMS (personal information management system), the ISMS (information security management system),  and the rights of consumers .

What you should do:

  • Review the CCPA to understand its requirements.
  • Audit your privacy and security programs against the CCPA’s requirements.
  • Determine which compliance gaps require remediation.

Further information:

California Consumer Privacy Act (CCPA) Gap Analysis

This service assesses your organization’s current level of compliance with the CCPA and helps identify and prioritize the key work areas that your organization must address to be compliant.

Inquire about this service

Step 3: Create a personal information inventory and map data flows

The CCPA grants California consumers the right to know what personal information is being collected, processed, and sold, as well as the source of that information. Identifying data collection points and documenting these in data maps enables timely, complete, and compliant responses to data access requests.

There are 11 categories of consumer information, ranging from name, address, and email address, to biometric information, geolocation data, audio-visual information, and employment information, to inferences that can be drawn from any information to create a profile about a consumer that reflects their preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.

Data maps can facilitate more robust and accurate privacy notices, resulting in a higher degree of compliance. This is because they can reveal downstream processing activities that may not be obvious to data collectors, but of which data subjects must be informed at the time of collection.

What you should do:

  • Assess the categories of personal information your organization holds, where the personal information comes from, and the business or commercial purpose for processing it.
  • Document how personal information flows to, through, and from your organization.

Further support:

Data Flow Mapping Tool

The Data Flow Mapping Tool simplifies the process of creating data flow maps, giving you a thorough understanding of what personal data your organization processes and why, where it is held, and how it is transferred. The tool is a Cloud-based application, licensed for up to five users and accessible via any compatible browser.

Buy now

Step 4: Develop operational policies, procedures, and processes

Once you have identified your compliance gaps and mapped your personal data flows, you should bring the way you process personal information in line with the CCPA’s requirements. This will include reviewing your existing policies, procedures, and contracts, and implementing new ones as necessary. You will also need to update your website to ensure the appropriate messages are visible to consumers.

What you should do:

  • Implement a process to delete consumer data to comply with the CCPA’s right to be forgotten.
  • Ensure your personal information protection policies and privacy notices are in line with the CCPA. Provide required CCPA notices including opt-out and opt-in rights.
  • If you sell personal information, ensure your website contains a “Do Not Sell My Personal Information” option
  • Ensure your privacy policy includes a link to the “Do Not Sell My Personal Information” page.
  • Review employee, customer, and supplier contracts, and update them if necessary to cover personal information processing.
  • Plan how to recognize, verify, and respond to verifiable consumer requests to access or delete their personal information. Ensure that you are in a position to respond to data subject access requests by consumers (free of charge) within 45 days, by mail or electronically. You will also need to provide consumer data upon request in a “readily useable format.” This process should be documented, and should include a toll-free number and website address.

Further support:

GDPR Toolkit

The EU’s GDPR (General Data Protection Regulation) and the CCPA share many requirements, and many processes designed for GDPR compliance are applicable to the CCPA. Our GDPR Toolkit contains more than 80 document templates – including policies, procedures, and checklists – designed to aid GDPR compliance, which you can adapt to streamline your CCPA compliance program.

Buy now

Step 5: Implement processes and technical measures to secure personal information

Implementing appropriate measures to secure the personal information your organization processes is paramount to your compliance.

What you should do:

  • Have an information security policy in place.
  • Implement basic technical controls, such as those specified by established cybersecurity frameworks like the NIST CSF (Cybersecurity Framework), the 20 CIS Controls™, or the information security standard ISO/IEC 27001:2013.
  • Use encryption and/or deidentification where appropriate.
  • Create and maintain a robust incident response plan, and ensure policies and procedures are in place to detect, report, and investigate breaches of personal information.

Further information:

ISO 27001 implementation

Implementing an ISMS in accordance with global best practice as outlined by ISO 27001 and its control framework ISO 27002 can provide significant benefits in protecting your data and minimizing your risk of a data breach. We offer a wide range of solutions to help you, including free guides and books, training courses, documentation templates, software, and consultancy.

Learn more

Step 6: Ensure employees are trained and competent

You need to ensure that your employees who are responsible for handling consumer inquiries regarding their privacy rights are informed of the CCPA requirements and know how to maintain good data hygiene.

What you should do:

  • Ensure internal communications with stakeholders and staff are effective.
  • Train your employees to understand the importance of personal information protection, basic CCPA principles, and the procedures you have implemented to ensure compliance.

How we can help:

California Consumer Privacy Act Foundation Training Course

Delivered by an experienced privacy consultant, this one-day, online training course will give you a clear understanding of the main elements of the CCPA. It is suitable for anyone involved in information management, data protection compliance, or data privacy compliance, or as part of implementation programs for organizations located or doing business in the state of California. Participants who pass the included exam are awarded the California Consumer Privacy Act Foundation (CCPA F) qualification by IBITGQ.

Buy now

Step 7: Monitor and audit compliance

Complying with the CCPA is an ongoing process, not a one-off project. Periodic internal audits will ensure your activities remain up to date and that you will not fall out of compliance. An audit should review relevant policies to ensure that they are current, compliant, and accessible.

What you should do:

  • Schedule regular audits of personal information processing activities and security controls.
  • Keep records of personal information processing up to date.

Further support:

Compliance with the CCPA can be complex and unfamiliar to many organizations.  Relying on the audit experience of trained privacy and cybersecurity professionals can minimize your organization’s risk of non-compliance and ensure that you are ready to respond to consumer requests promptly and in accordance with the law.

Contact us now to find out how we can help you improve your CCPA compliance.

Contact us
This website uses cookies. View our cookie policy
20% OFFTRAINING