The CCPA is one of the most sweeping data privacy regulations to come into effect in the United States and is applicable to any company processing the personal information of a California resident.
This guide provides a practical at-a-glance resource for organizations that are looking to become compliant with the CCPA and will be updated periodically.
We will not be dealing with fines here, which have the potential to be very large indeed - for further detail on fining practice we refer you to this useful IAPP resource: possible fines under CCPA.
1. Understand whether the CCPA is applicable to your company
The first step to CCPA compliance is understanding whether you hold California residents’ personal information.
If you do hold California residents’ personal information and you meet one of the following criteria, the CCPA will apply:
Have annual gross revenues in excess of $25m,
Process the personal information of 50,000 or more California consumers, households, or devices, or
Derive 50% or more of annual revenues from selling California consumers’ personal information.
There are common misconceptions that CCPA does not apply for various reasons. These incorrect misconceptions might include:
“I do not sell data”
“I am a financial services company”
“I already comply with GDPR”
“I am B2B”
“I do not have customers in California, only employees”
2. Understand the definition of personal data
Importantly personal data is defined very broadly. Currently, under the legislation as drafted, this means:
Identifiers such as a real name, alias, postal address, unique personal identifier, online identifier Internet Protocol address, email address, account name, social security number, driver’s license number, passport number, or other similar identifiers.
Any categories of personal information described in subdivision (e) of Section 1798.80.
Characteristics of protected classifications under California or federal law (e.g. race, religion, AIDS/HIV status, sexual orientation).
Commercial information, including records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies.
Internet or other electronic network activity information, including, but not limited to, browsing history, search history, and information regarding a consumer’s interaction with an Internet Web site, application, or advertisement.
Audio, electronic, visual, thermal, olfactory, or similar information.
Professional or employment-related information.
Education information, defined as information that is not publicly available personally identifiable information as defined in the Family Educational Rights and Privacy Act.
Inferences drawn from any of the information identified above to create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, preferences, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.
3. Assign responsibility to someone in your organization
With the GDPR this person is often called the Data Protection Officer (DPO) and is required by some companies under the law. But regardless of the specific legislative requirements it is important that someone be assigned ultimate responsibility for your organization as this will help provide focus to the complex set of activities that you need to undertake in preparing for the CCPA, staying compliant, and ultimately protecting your company from fines and court actions.
4. Review your current data processing activities and policies
The CCPA is a new paradigm in data privacy. It is of utmost importance to undertake a full review of how data is processed within the organization in order to ensure that data processing is functioning as expected. This often involves:
Reviewing internal compliance policies to understand whether they are in line with the requirements of the CCPA.
Updating those policies where they fall short of the requirements of the CCPA.
Comparing the harmonized policies against actual workflows and practices internally.
Identifying issues and providing solutions where policies and practices do not match up.
(Ohalo works with a number of partners both in privacy consulting and data compliance workflow tools that can assist you. Please contact us for further information.)
5. Build a map of data processing activities and update that map periodically
One of the most time-consuming tasks that an organization can undertake in preparing for the CCPA is data mapping. This involves examining your data on a record by record basis to understand in detail the specific data that your organization holds in both (i) structured data in databases and (ii) unstructured data in documents, PDFs, spreadsheets, and more.
In a large organization this might take several months and $100,000s in consultant fees and/or staff time if done manually.
(Ohalo’s Data X-Ray automates this process by connecting to your datasources from Windows file drives to SQL databases in order to provide accurately classified data maps in hours instead of months.)
6. Map data flows to third parties and review service provider agreements
Part of your data map will show that data is flowing to third parties. This might be something as standard as using Google Drive data storage, or something as complicated as a custom data dump to a third party vendor for operational purposes.
It is extremely important that you:
Know why that data is being sent to third parties,
How those third parties use that data, and
Whether that usage is compliant with CCPA, as reflected in your third party service provider agreements and privacy notices.
Like GDPR, transparency is a key driver behind CCPA. While seemingly simple, this is actually very hard. It is important that you make very clear to consumers exactly how their data is used and then use that data in the way that you say you are going to use it. If not, large fines, may await.
8. Run mock tests to understand if you are prepared to answer a data access or deletion request
Finding data about individuals in large unstructured and structured data sets has been a key operational challenge for organizations under the GDPR and will continue to be so for organizations under the CCPA. The GDPR stipulates a tight response time of one month for subject access and deletion requests. This has been a major problem for most companies who run the risk of substantial fines if they fail to comply.
The greatest part of this challenge is the long manual processes that characterize searches for individuals. After the initial request, organizations often resort to manual processes, casting around various divisions to ask unengaged colleagues to collate data, frequently resulting in patchy responses which provide no certainty for the company as to whether the search has been sufficiently comprehensive or accurate under the law.
(If you find your organization lacking in this area, Ohalo’s Data X-Ray allows you to collate comprehensive data about individuals in minutes across your organization and build case files for request and deletion fulfillment. We also provide one-off response services.)
9. Understand whether you are selling data
A key difference between CCPA and GDPR are the requirements around selling data. GDPR does not specifically mention the selling of data while CCPA allows consumers to specifically prohibit the selling of their data to third parties. This is one of the most controversial parts of the CCPA as the activity of “selling” (both for money or other consideration) is not well defined in terms of operational workflows.
10. Understand scope overlap with other regulations
CCPA can overlap with several different regulations like GDPR, HIPAA, GLBA, COPPA, GDPL and more. Your organization needs to understand that compliance with one of these regulations, while it may get you a long way there, does not necessarily mean compliance with the CCPA, one of the most broad privacy regulations yet.
Ohalo builds tools to automate data governance. The Data X-Ray automatically classifies and scans unstructured and structured datasources for personal data, cutting down data mapping times from months to hours and allows organizations to fulfill data subject access and deletion requests in minutes. Simply sign up here or ask for a demo.