CCPA stands for California Consumers Privacy Act (2018), intended to enhance privacy rights and consumer protection for residents of California, United States.
The CCPA provides California residents with the right to know what personal data is being collected about them, whether it is sold or disclosed, and to whom. Under the act, they can access their personal information collected by businesses, request to delete it, and opt-out from selling their personal information.
Businesses are required to give consumers notice explaining their privacy practices and not discriminate against consumers for exercising their rights under the CCPA.
CCPA compliance requirements
For CCPA compliance, PI (Personal Information) is defined as information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. The legislative text specifies a number of examples of PI, although declares that these are not exclusive.
Examples include typical identifiers such as:
- Postal addresses
- Unique personal and online identifiers
- IP addresses
- Email addresses
- Social security, driver’s license, and passport numbers
They also include biometric information, geolocation data, commercial information, and internet activity.
The requirements for CCPA compliance include:
- Inventory of the collected consumer PI: Consumer rights under CCPA compliance cover a broad range of PI including information that can be associated with a consumer or household, such as IP addresses and shopping history. Companies need to have a complete inventory of consumer data that’s being collected.
- Processes to execute access and deletion requests: CCPA compliance grants consumer rights of access and deletion upon request. Companies need to be able to locate the required PI across systems, complete the request within 45 days, and consider any applicable exceptions to fulfill or not fulfill the request.
- Disclosure for PI sharing and sale: For CCPA compliance, companies must allow consumers to opt-out of the “sale” of their PI to other companies, which also includes any transfer of PI in exchange for something of value. An affiliate under the same brand is considered as the same entity, while an affiliate under a different brand is considered as a separate entity. Some affiliate sharing may be a “sale” and would require proper disclosures.
Who is required to comply with CCPA?
Companies that do business in California are required to comply with the CCPA, where they collect or work with PI relating to California residents. Companies require CCPA Compliance if they are:
- Considered as a for-profit entity
- Do business in California
- Collect or have collected PI of consumers
- Solely or jointly determine the purposes of processing PI
- Meet one or more of the following criteria:
- Earns 50% or more of its annual revenue from selling PI
- Works with PI of 50,000 or more consumers, households, or devices
- Annual gross revenue is $25 million or greater
Companies that fail to comply with CCPA get notified, and if the CCPA compliance is not completed after 30 days, they can expect a civil case and a risk of being fined up to $7500 per violation in case of a data breach.
How do you become compliant with CCPA?
Supporting CCPA compliance in a 4-step process
1. Understand consumer rights
Consumer rights under the CCPA can broadly be grouped into the following five categories:
- Right to be informed. This right includes both “to know what personal information is being collected about them” as well as the right “to know whether their personal information is sold or disclosed and to whom.”
- Right to opt out. This right refers specifically to having the PI sold, enabling Californians “to say no to the sale of personal information.” It does not necessarily restrict other forms of personal information processing.
- Right of access. This right allows consumers to obtain “the specific pieces of personal information” that have been collected about them, along with the sources of that information, the purpose for collecting or selling that data, as well as third parties with which the information is shared.
- Right of deletion. This right allows consumers to request that their personal information be erased, subject to some conditions. For example, companies can still keep information to protect against fraud or to comply with other legal obligations.
- Right to non-discrimination. This right ensures that Californians can exercise rights over their data without fear of discrimination. Specifically, the regulations guarantee “the right of Californians to equal service and price, even if they exercise their privacy rights.”
2. Review consumer information you collect
Examine the consumer PI you possess, along with:
- How is it collected over different channels?
- Where and how is it stored? What type of information security is provided? Does it need further strengthening?
- How is it processed?
- Do you share the consumer PI with any other entity? How and why? How does the shared consumer information get used? Do other entities meet the CCPA compliance?
Under CCPA compliance requirements, you need to inform your consumers with a disclosure at or before the point of collection, including “the categories of personal information to be collected and the purposes for which the categories of personal information shall be used.”
The disclosure should be available “through a publicly posted privacy notice, and specifically upon request by a consumer.” They must also be updated annually. For CCPA compliance, a privacy link on the homepage of the company website should direct to the disclosure that should also allow consumers to opt out of having their PI sold.
4. Respond to consumer rights requests
For CCPA compliance, organizations are required to respond to consumer rights requests within 45 days “free of charge,” unless they can show that such requests are “manifestly unfounded or excessive.” In some cases, the time to respond can be extended by 45 or 90 days depending on the complexity of the request, but only if the organization notifies the consumer of this before the initial 45-day period elapsing.
When responding to requests, organizations will have the choice of either providing information in writing or electronic format. In case of electronic format, the law states that “information shall be in a portable and, to the extent technically feasible, in a readily usable format that allows the consumer to transmit this information to another entity without hindrance.”
To meet these criteria of CCPA compliance, you need the following minimum key data workflows:
- Receive. Any new request that comes in will have to be logged, irrespective of the channel it comes from. In many cases, the law specifies that organizations need to make at least two methods available for making requests – a toll-free telephone number and a website address.
- Review. Consumer rights under the CCPA are not absolute, so any inbound request will need to be reviewed to ascertain whether it meets all the relevant criteria and can be carried out without prejudice to any of the organizations’ other legal obligations.
- Retrieve. If the inbound request is approved, relevant information will need to be retrieved. Further, the requests for deleting the information or opting out of its sale will need to be processed.
- Respond. Once the necessary processes are complete, including retrieval, deletion, or controls placed around the processing/sale of PI, a response needs to be sent to the consumer.
Crafting a sustainable CCPA compliance strategy
CCPA compliance is an ongoing process, requiring you to respond quickly when there are updates to the law when you introduce new channels and campaigns. To efficiently manage the compliance process, you need to put data at the center of your CCPA compliance strategy.
Implementing a data-centric privacy strategy helps you respond faster as more and stricter regulations are announced. With the expansion of the consumer information scope, you need to keep track of all sources of PI, understand how and why PI is processed, understand which policies apply to which datasets, and maintain granular controls to restrict specific processes.
Assessing these broad competencies in more specific terms, you will need the following capabilities for sustainable CCPA compliance:
- PI discovery and classification: An indispensable capability that helps privacy teams to map out where PI is stored throughout the enterprise’s data ecosystem. For CCPA compliance, you need to scan data and give it context periodically. Once data is monitored, you must be able to categorize and systematize it, and use it compliantly. Investing in automatic PI discovery tools helps you to scale as the CCPA evolves and as new regulations emphasize consumer rights. Automatic PI classification enables you to properly label data under different PI classes, ensuring new sources will be onboarded efficiently.
- Business process management: You are accountable for knowing and communicating how and why you use PI. Business process management provides data context by mapping business processes associated with PI to explain the purpose behind the processing. For example, the documenting business processes helps to ascertain whether a deletion request can be carried out in its entirety, or whether some information needs to be retained to comply with other obligations.
A sustainable data-centric approach to complying with CCPA ensures that your organizational data privacy policies are aligned with the CCPA compliance requirements and the necessary processes are in place. A comprehensive data strategy will help your organization comply with any future data privacy regulations quickly.