The California Consumer Privacy Act (CCPA) is state-level legislation requiring businesses to disclose how they collect, store, and safeguard private California-based consumer data. It went into effect in January 2020. It has been widely compared with GDPR though it is not as stringent and the penalties for not complying are lower.
A for-profit business must follow the CCPA rules if any of the following conditions are true:
If a business falls under CCPA compliance requirements, executives and managers must take the necessary steps towards meeting these requirements. We’ve distilled the process of complying with CCPA down into 9 short steps. Use this as a primer for CCPA.
Step 1. Outline Project Objectives
Setting objectives from the start will prove tremendously helpful when complying with CCPA laws. Companies need to understand assignments, milestones, requirements, and timelines. Like all things compliance, treat the process like you would any other project.
Answer the following questions to help get the conversation started:
Managers should also meet with the legal to ensure that they understand how the CCPA will function with and affect the business.
Step 2. Audit the Organization’s Privacy and Info Sec Stance
The next step is to assess the current state compared to what is required by CCPA. The easiest and highest level process is to do a gap assessment to understand what gaps exist between what is done today and what needs to be done to comply with CCPA.
A good place to start is to look at what data your company collects, including the following 11 types of consumer information:
Document all of the above and ensure the reasons for the collection of data are clearly identified and documented.
Then, take a look at the following areas for compliance:
Compare data sources to the areas of compliance to assess where the organization stands.
Step 3. Consider the Performance Gaps
Once managers have performed the above-referenced gap assessment, it’s time to draft a mitigation plan to consider and determine where the company needs to improve to meet the requirements of CCPA.
It’s critical that managers also communicate the responsibilities for gap identification, including:
Step 4. Designate a CCPA Roll-Out Taskforce
There’s no question that addressing CCPA compliance will lead to company-wide disruption. However, teams can mitigate this by carefully planning roll-out measures. First, consider the company’s culture and human capital tolerance to change.
A CCPA task force, which in small companies can be 1-2 people, will ensure a strategic approach toward achieving compliance as seamlessly as possible.
Step 5. Roll Out Communications Company-Wide
Before training employees, announce the new changes and how they affect each department and position. Explain why the company is going down this path. Company-wide adoption is tantamount to uniform compliance. Use communication modes that make sense for the organization, including intranet messages, meetings, and emails.
Step 6. Train Employees
A CCPA roll-out should include high level training on CCPA. Training on CCPA helps to give your employees a common language around the regulation and requirements. It will also help you sales and account teams talk about it with the market.
As a part of complying with CCPA, all employees should receive security awareness training. In addition, those employees that interact with customers in any way should be trained on the data rights granted by CCPA.
Upon training completion, employees should be able to demonstrate an appropriate level of knowledge regarding the CCPA and basic security awareness topics.
Step 7. Revise Company’s Policies
Not only will managers have to train employees and revise how they handle consumer data, but they will likely have to amend their privacy policies or draft new ones specific to CCPA.
Privacy policies should be updated to include the following consumer rights:
Step 8. Revise Company’s Policies
Other than privacy policies, managers and legal will also want to look at their third-party and vendor agreements. Pay close attention to contracts with any third parties that handle or process consumer data for your company.
Step 9: Display Website Notifications and Banners
The next step is to make policy revisions visible and accessible to users. Businesses can use a variety of methodologies to communicate and display rights to consumers. For example, many companies add a link to their website’s navigation menus in the footer and may take the step to use a cookies and opt-out banner.
Step 10. CCPA Oversight and Monitoring Efforts
Execute the newly-created CCPA measures and monitor progress over the long run. The policies a company puts in place must be revised and refined to enhance these consumer protections and evolve as the company evolves (and technology evolves). Continually assess effectiveness and identify gaps.
Final Word: Don’t Delay on CCPA Compliance Efforts
Complying with CCPA matters. California’s attorney general’s office can fine businesses between $2,500 and $7,500 per violation. When dealing with potentially millions of data points in numerous processes, these fines can add up fast.
Don’t avoid the process now. Instead, get started on CCPA compliance as soon as possible.