Preparing for CCPA Compliance 7 Steps to Ensure Compliance and Protect Your Business
As today’s much-needed consumer data privacy revolution takes shape, new laws and regulations are playing a central role in empowering individuals. But for the affected businesses, the result is often additional hurdles and expenses, as these companies struggle to understand and comply with the demands of legislators.
For the CTOs, CIOs, and compliance teams still recovering from planning and executing compliance strategies for the European Union’s General Data Protection Regulation (GDPR), there is little time to rest before the deadline for their next major challenge: the California Consumer Privacy Act (CCPA).
This act, which was passed in 2018, is due to take effect on January 1, 2020. While it will only be on the books in California, its impact will be felt far beyond the Golden State. It has many similarities to the GDPR, but the new law also introduces some stricter regulations, requiring companies to invest serious time and resources in compliance.
Given the financial and reputational damage that businesses could suffer should they fail to adhere to the new law (and the short time left to prepare), the CCPA should be a top priority for any company covered by the law—no matter where in the world that company is based.
To help you prepare your business to stay on the right side of the law, this eBook will teach you:
- What the overarching goals and main components of the CCPA include.
- How the CCPA is similar to—and different from—the GDPR.
- How the CCPA will be enforced.
- What risks your company faces should it fail to comply with the new law.
- What specific steps your company should take to ensure that it meets the CCPA deadline of January 2020.
Understanding the CCPA
While the United States lacks a unified and comprehensive federal privacy protection law, the California Consumer Privacy Act (CCPA) is widely seen as one of the country’s biggest steps towards protecting individuals’ privacy in an age of unprecedented data collection.
It is no coincidence that California is taking the lead in this regard. The state happens to be the fifth-largest global economy and home to an ever-growing number of technology companies in Silicon Valley and beyond—including some of the biggest datacollecting and data-processing businesses in the world.
The act is expected to have a global impact on data-driven businesses, as the General Data Protection Regulation (GDPR) did when it went into effect in Europe in 2018. Forwardthinking businesses are already adopting the CCPA in their privacy protection operations as the de facto standard for the protection of all U.S. citizens’ privacy. The law is slated to take full effect on January 1, 2020, with enforcement due to begin six months later.
Before we delve into the steps to comply with the CCPA and the ways it differs from the GDPR, let’s answer some common questions without the “legalese” you will find in the full text of the law.
What Is the CCPA?
The CCPA is a law in the State of California that aims to protect the privacy rights of Californians by giving them control of their own personally identifiable information (PII) and the ways it is used by businesses.
Under the law, the rights granted to the residents of California include:
- The right to know what personal information about them is being collected by a business.
- The right to have their personal data deleted.
- The right to know if their personal information is sold or disclosed.
- The right to say no to the sale of their personal data.
- The right to know what types of personal data will be collected from them before the information is collected.
- The right to know the purposes of collecting their personal data.
- The right to know whom their personal data may be shared with.
- The right to know the sources from which their personal information is acquired.
- An opt-in mandate for the sale of information belonging to minors (persons under the age of 16), with a requirement that a parent or guardian opt in on behalf of a child under the age of 13.
- The right to not be discriminated against for exercising one’s rights under the CCPA (although a later amendment added an exception for cases in which “the differential treatment is reasonably related to value provided to the business by the consumer’s data”).
- The private right of action against a company in the case of a breach of personal data.
How Has the CCPA Taken Shape?
The CCPA started out as a consumer-driven ballot initiative to protect the personal data privacy of Californians. However, since a law passed through legislation is easier to amend in California than a law passed through the state’s initiative process, local lawmakers rushed to draft and pass the CCPA as such. After being passed unanimously by the California State Legislature, it was signed into law by then-governor Jerry Brown on June 28, 2018.
Because of this rushed process, the original draft of the CCPA was full of confusing and sometimes contradictory wording—making it far too unclear and open to interpretation. As a result, the original act has since been amended.
Who Is Impacted by the CCPA?
The CCPA is bound to have profound implications on how many businesses treat the data of people using their services. While the law aims to protect the privacy of 40 million California residents, many organizations are simply adjusting their compliance operations to cover all American users.
Whom Does the CCPA Protect?
The CCPA aims to protect the residents of California, whether currently living in the state or located abroad. The California Code of Regulations defines a resident as “(1) every individual who is in the State for other than a temporary or transitory purpose, and (2) every individual who is domiciled in the State who is outside the State for a temporary or transitory purpose.”
What this means for businesses is that geoexcluding Californian users on your website won’t work, as they might be located elsewhere. In fact, you might not even know they’re residents of California protected by the CCPA when you collect their data.
Who Gets Regulated?
Section 1798.140(6)(1)(A-C) of the CCPA defines what businesses must comply with the regulations. A company must comply with the CCPA if it (or any of its parent or subsidiary companies) meets all of the following criteria:
- It has a gross annual revenue exceeding $25 million.
- It uses the personal data of more than 50,000 consumers every year for commercial purposes (including buying, receiving, selling, or sharing the personal information of consumers for commercial purposes).
- It derives 50% or more of its annual revenue from selling consumers’ personal information.
- It is a for-profit entity that provides data-processing services to CCPA-covered businesses.
The CCPA does not elaborate or clarify what it means to be “doing business in California”. However, legal experts suggest that a company can be regulated by the CCPA even if it does not have a physical presence in California.
What Does the CCPA Consider Personal Information?
Section 1798.140(o)(1) of the CCPA defines personal information as “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” In an attempt to clarify, the lawmakers provided a list of information types and categories that may be considered personal, including:
- Personal identifiers such as a real name, alias, postal address, IP address, email address, Social Security number, etc.
- Commercial information—including records of personal property, products or services purchased or considered, etc.
- Biometric information such as fingerprints, DNA, imagery of the retina, etc.
- Online activity information such as browsing history, search history, and information regarding a consumer’s interaction with a website, application, or advertisement.
- Geolocation data.
- Professional or employment-related information.
- Education information (provided that it is not publicly available).
- Inferences drawn from any of the information listed above to create a comprehensive consumer profile.
Exempt from the CCPA are types of personal data that are covered by other federal or state laws, such as medical data and information collected for medical research. These are protected by the Confidentiality of Medical Information Act and the Federal Policy for the Protection of Human Subjects.
The CCPA also excludes “deidentified” information and “aggregate” consumer data. As long as the identifiable consumer profile, the CCPA does not apply to it.
For example, a marketing analytics company aggregating and storing only statistical information about the purchase behavior of certain consumer groups or categories will be exempt from the CCPA—even if every single one of those groups and categories is made up of Californians—as long as the data cannot be linked to any one customer or household.
The final category of personal data exempt from the CCPA is public information made available by government authorities.
Who Enforces CCPA Compliance?
The law is to be enforced by the Attorney General of California. This officeholder will be tasked with assessing alleged CCPA breaches, bringing any action before the court for civil penalties, and independently launching investigations into businesses suspected of CCPA noncompliance.
What Happens If You Don’t Comply?
In cases of noncompliance, financial penalties can reach up to $2,500 for each unintentional violation and up to $7,500 for each intentional violation.
In addition, the CCPA gives consumers the right to file individual or class-action lawsuits against businesses that have violated their rights under the law. The penalties can range from $100 to $750 per violation (or the cost of actual damages, should it exceed $750), which cumulatively can easily destroy a small or midsize business.
CCPA vs. GDPR: Similarities and Differences
Both the GDPR and the CCPA have the same goal: to give individuals control of their personally identifiable data and force companies to take more responsibility for the information they collect, store, share, or sell. Both laws grant consumers rights like the right to be forgotten, and both require companies to take precautions to safeguard the personal information they store and handle.
However, the two also differ in many ways. Here are a few of the noteworthy differences:
The GDPR casts a much wider net that covers all organizations processing the data of Europeans—regardless of a company’s size, location, or industry. It also applies to all types of personal information.
The CCPA is only applicable to for-profit companies that meet specific criteria. In addition, it only applies to specific categories of information, which are laid out in the law. It excludes nonprofit organizations, as well as data categories covered by other privacy protection laws.
Penalties and Fines
In the case of a serious GDPR violation, the local data protection authority (DPA) can fine an organization up to 4% of its global annual turnover, or 20 million euros—whichever is higher.
While fines issued under the CCPA may seem modest in comparison, the right granted to consumers to sue the business (either individually or in a class action) makes the potential cost of CCPA violations unpredictable.
Opt-Out Right for Personal Information Sales
The CCPA surpasses the GDPR in empowering consumers to prevent the sale of their personal information. Specifically, the new law requires businesses not only to comply with a consumer’s request to opt out of the sale of personal information to third parties, but also to include a “Do Not Sell My Personal Information” link in a clear and conspicuous location on applicable digital assets.
7 Steps to CCPA Compliance
Complying with the CCPA will likely require you to adapt your existing data protection operations to address the law’s demands. To help you with this process, Namogoo offers a number of user-friendly tools, as well as the expertise we acquired while helping companies ensure compliance with the GDPR.
By taking the following seven steps, you can prepare your company to adhere to the CCPA. Keep in mind: If your business is compliant with the GDPR, you are already well on your way to CCPA compliance—meaning that some of the tools and processes you will need are likely already in place.
1. Determine Applicability
Prior to commencing your organization’s action plan for CCPA compliance, it’s advisable to confirm it applies both to your business and to the types of data you collect. Some kinds of information collection and processing in California are covered under other laws (like HIPAA and the Fair Credit Reporting Act). However, the CCPA will still apply to businesses covered by these laws to the extent that they also collect and process other personal information about consumers and households.
After confirming that your business is bound by the CCPA, you will want to identify how and where you interact with consumers’ personal information.
2. Update Data Collection Inventories
Data inventories are databases that hold the information about all relevant data processing taking place in a business (or elsewhere, on its behalf). They cover business processes, third parties, products, and applications that process the personal data of consumers. These databases should be continuously updated to ensure all data collection and processing activities are recorded in an auditable manner.
Cybersecurity is vital here, because hackers like looking for vulnerabilities in data inventories. For businesses already making an effort to comply with privacy regulations, the new requirements under the CCPA include:
- Identifying whether personal information has been “sold” (according to the definition of “sold” in the CCPA).
- Identifying what categories of personal information are shared with third parties or received from third parties.
- Identifying what (if any) categories of personal data are covered under other laws (thus exempting this information from the CCPA).
- Identifying whether personal information was collected over 12 months ago (and is thus potentially exempt from the CCPA).
3. Adapt Your Procedures
The CCPA gives Californian consumers several rights, and it’s up to businesses to be ready to promptly comply with requests from individuals based on these rights. As a business, you are obligated to execute the necessary processes in under 45 days.
The consumer rights that require you to amend your company procedures will likely include:
- The right to access one’s personal information.
- The right to have one’s personal information deleted.
- The right to restrict the use of one’s personal information (especially the right to opt out of having one’s information sold, and the requirement for minors to explicitly opt in before their data can be sold).
Establishing procedures for handling customer requests (including recording and verification of requests) requires specific consideration under the CCPA. For global businesses already adhering to the GDPR, complying with the CCPA is simply a matter of adjusting the processes to the new law’s requirements.
4. Update Privacy Policies and Notify Customers
Before starting to collect information from Californians, the CCPA requires you to post a privacy notice to these consumers, detailing what information is collected and how you will use it. Specifically, you must inform customers what categories of data are collected, what categories are sold, and to whom.
In addition, you will need to update your privacy policies to include a description of the rights granted by the CCPA. Many companies are required to provide two or more designated methods for submitting information requests (a toll‐free number and a website address) within their privacy policies, but an amendment specifies that online-only businesses can instead provide an email address.
5. Add a “Do Not Sell My Personal Information” Link
6. Map Data Relationships and Amend Third-Party Service Agreements
Privacy regulations demand that your dataprocessing service providers adhere to certain requirements such as due diligence in securing and encrypting the personal customer data you entrust them with. TheCCPA expands upon these demands—paying special attention to what it defines as the “sale” of information, and its difference from disclosing data for processing purposes.
Depending on what type of information is shared or sold, different requirements will apply to third-party vendors. For example, companies buying customer data from you will need to synchronize their data protection processes with yours to comply with Californians’ requests to delete their personal information or stop selling it.
How Namogoo Can Help
To comply with the CCPA, businesses need to map and monitor their data relationships with third-party providers and to ensure the security of individuals’ personal information as it is transmitted to and from third-party services. To address these needs, Namogoo provides companies with continuous customer data security monitoring, as well as ongoing insights into any personal information being collected by any third- or fourth-party services. This way, businesses can easily perform CCPA-compliant and audit-ready data tracking.
To help you verify that your customers’ information is shared only with the parties you want to share it with, Namogoo alerts you to any external service or asset introduced to your website or digital product. This allows you to be aware of any vulnerabilities caused by third- and fourth-party services within your website, so that you can resolve these risks before they result in data breaches or cyber-attacks.
7. Train Your Staff
Most privacy compliance means you have a data protection officer in place, and perhaps even a whole team making sure your company stays compliant. The final step to CCPA compliance is training your team regarding the new law, its implications for their jobs, and the ways it is different from the GDPR. It’s especially important to pay attention to the processes and policies you adjusted in step 3 and make sure your staff knows how to handle all types of CCPArelated customer requests.
Despite its name, the reach of the California Consumer Privacy Act (CCPA) will extend far beyond the borders of any one state. Not only is California home to global data-collecting giants such as Facebook and Google, but the law also protects the privacy rights of California residents from companies located anywhere in the world.
Considering that the law grants consumers the right to sue companies either individually or collectively for violations of their privacy rights, the implications for businesses are significant. Should a company fail to comply with the law, it could risk potentially serious financial and reputational damage.
With those risks in mind, for-profit companies that are regulated by the CCPA should be fully prepared to comply with the law by the time it takes effect on January 1, 2020. Fortunately, if your company already adheres to the European General Data Protection Regulation (GDPR), the similarities between the two laws mean that you’re well on your way to CCPA compliance. Still, preparing adequately for the CCPA can be a major undertaking—including technological, legal, and training components.
For many businesses that collect customer data via their websites, ensuring compliance can be particularly challenging because of their websites’ use of third- and fourth-party embedded services. To be confident that your customers’ sensitive information is not being abused by the software vendors you rely on (or by bad actors taking advantage of their software), you need to have ongoing transparency into the ways these companies gather information from your site. Namogoo’s Customer Privacy Protection (CPP) solution offers you this kind of transparency in real time, giving you the details you need to protect your customers and your business from the risks associated with third- and fourth-party online software.
Finally, while January 2020 will mark a major milestone in the world of data collection, it is worth keeping in mind the ongoing trends in consumer privacy legislation. The GDPR has inspired other countries to initiate similar legislation protecting consumers’ privacy rights, while the CCPA has inspired similar legislation in a number of states within the U.S. With this trend taking shape on an international scale, it seems that global companies will need to continue adapting to a legal landscape that increasingly limits their ability to collect, process, and sell consumers’ personal information.