10 Step Guide to Complying with CCPA

Travis Good
June 14, 2021

The California Consumer Privacy Act (CCPA) is state-level legislation requiring businesses to disclose how they collect, store, and safeguard private California-based consumer data. It went into effect in January 2020. It has been widely compared with GDPR though it is not as stringent and the penalties for not complying are lower.

A for-profit business must follow the CCPA rules if any of the following conditions are true:

  • grossing $25 million or more annually;
  • engage in commerce with 50,000 or more consumers; or
  • earn a majority of company revenue from consumer data.

If a business falls under CCPA compliance requirements, executives and managers must take the necessary steps towards meeting these requirements. We’ve distilled the process of complying with CCPA down into 9 short steps. Use this as a primer for CCPA.

Step 1. Outline Project Objectives

Setting objectives from the start will prove tremendously helpful when complying with CCPA laws. Companies need to understand assignments, milestones, requirements, and timelines. Like all things compliance, treat the process like you would any other project.

Answer the following questions to help get the conversation started:

  • Are we starting fresh, or can we build upon an existing info sec and compliance program? Chances are, in 2021, you have some form of program to build upon.
  • How have we handled consumer data in the past? If you comply with GDPR, you will have the necessary policies and procedures in place for data handling.
  • Who are our key stakeholders? Again, look at what you have in place today for privacy and security officers and roles.
  • How can we design our program to meet future needs? This is hard considering how quickly new privacy regulation is being passed. That said, it’s safe to assume that the practices you put in place for CCPA will be repeatable for other privacy regulations in the future.
  • What resources do we have available to execute the plan? For smaller companies, this can be the hardest problem to solve as you may have to add responsibilities for existing employees.

Managers should also meet with the legal to ensure that they understand how the CCPA will function with and affect the business.

Step 2. Audit the Organization’s Privacy and Info Sec Stance

The next step is to assess the current state compared to what is required by CCPA. The easiest and highest level process is to do a gap assessment to understand what gaps exist between what is done today and what needs to be done to comply with CCPA.

A good place to start is to look at what data your company collects, including the following 11 types of consumer information:

  1. Personal identifiers
  2. Personal information under California records destruction laws
  3. Protect classifications
  4. Commercial information
  5. Biometric data
  6. Internet activity
  7. Geolocation information
  8. Audio or visual information
  9. Employment information
  10. Education data
  11. Inferences made from sources

Document all of the above and ensure the reasons for the collection of data are clearly identified and documented.

Then, take a look at the following areas for compliance:

  • Data processing flows (including consumer rights / requests)
  • Privacy policies
  • Oversight management
  • Third party contracts (think cloud providers)
  • Data storage inventories

Compare data sources to the areas of compliance to assess where the organization stands.

Step 3. Consider the Performance Gaps

Once managers have performed the above-referenced gap assessment, it’s time to draft a mitigation plan to consider and determine where the company needs to improve to meet the requirements of CCPA.

It’s critical that managers also communicate the responsibilities for gap identification, including:

  • How to organize and identify consumer data
  • What CCPA notices and opt-out measures are necessary
  • How the company will delete data for compliance
  • What the company will do to provide customer data upon request (both process and technology)
  • What service agreements need improvement
  • How the company will roll-out the new program including how employees will be educated.

Step 4. Designate a CCPA Roll-Out Taskforce

There’s no question that addressing CCPA compliance will lead to company-wide disruption. However, teams can mitigate this by carefully planning roll-out measures. First, consider the company’s culture and human capital tolerance to change.

A CCPA task force, which in small companies can be 1-2 people, will ensure a strategic approach toward achieving compliance as seamlessly as possible.

Step 5. Roll Out Communications Company-Wide

Before training employees, announce the new changes and how they affect each department and position. Explain why the company is going down this path. Company-wide adoption is tantamount to uniform compliance. Use communication modes that make sense for the organization, including intranet messages, meetings, and emails.

Step 6. Train Employees

A CCPA roll-out should include high level training on CCPA. Training on CCPA helps to give your employees a common language around the regulation and requirements. It will also help you sales and account teams talk about it with the market.

As a part of complying with CCPA, all employees should receive security awareness training. In addition, those employees that interact with customers in any way should be trained on the data rights granted by CCPA.

Upon training completion, employees should be able to demonstrate an appropriate level of knowledge regarding the CCPA and basic security awareness topics.

Step 7. Revise Company’s Policies

Not only will managers have to train employees and revise how they handle consumer data, but they will likely have to amend their privacy policies or draft new ones specific to CCPA.

Privacy policies should be updated to include the following consumer rights:

  • Right to Know: How information is collected, stored, and used over the preceding 12 months.
  • Right to Delete: Inform customers that they have a right to request deletion of personal information.
  • Right to Opt-Out: Customers can opt out of the sale of their personal information to third parties.

Step 8. Revise Company’s Policies

Other than privacy policies, managers and legal will also want to look at their third-party and vendor agreements. Pay close attention to contracts with any third parties that handle or process consumer data for your company.

Step 9: Display Website Notifications and Banners

The next step is to make policy revisions visible and accessible to users. Businesses can use a variety of methodologies to communicate and display rights to consumers. For example, many companies add a link to their website’s navigation menus in the footer and may take the step to use a cookies and opt-out banner.

Step 10. CCPA Oversight and Monitoring Efforts

Execute the newly-created CCPA measures and monitor progress over the long run. The policies a company puts in place must be revised and refined to enhance these consumer protections and evolve as the company evolves (and technology evolves). Continually assess effectiveness and identify gaps.

Final Word: Don’t Delay on CCPA Compliance Efforts

Complying with CCPA matters. California’s attorney general’s office can fine businesses between $2,500 and $7,500 per violation. When dealing with potentially millions of data points in numerous processes, these fines can add up fast.

Don’t avoid the process now. Instead, get started on CCPA compliance as soon as possible.