ar130405 - Fotolia


Privacy controls to meet CCPA compliance requirements

Existing risk management programs are a solid foundation for CCPA compliance requirements. Learn the privacy controls needed to remain CCPA-compliant and improve IT security.

The California Consumer Privacy Act went into effect on Jan. 1, 2020, and is the first of potentially many state laws that impact the way businesses manage consumer and customer data. This trend has prompted many CIOs and compliance officers to start scrambling to check their risk management programs for privacy regulation coverage.

Similar to the GDPR launched by the European Union in 2018, CCPA forces businesses that sell products and services to California-based customers to take a close look at how they protect consumer privacy and manage consumer data. It's not enough to simply deploy security measures to prevent cyberattacks. Businesses must now also implement controls for how they handle customer data coming in, being stored and ultimately retired.

Key CCPA compliance requirements

Unlike GDPR, CCPA does not provide consumers with the right to correct inaccurate personal data, restrict processing or object to data processing. However, CCPA includes two major requirements businesses must adhere to:

  1. Inform consumers of any information that will be sold or shared.
  2. Give consumers the ability to opt out of having their personal information sold.

CCPA also requires businesses to collect advance consent from consumers under the age of 16 to sell their data. If a consumer is under the age of 13, consent must be given by a parent or guardian. In addition, businesses must treat all customers equally in relation to the price charged for products and services, regardless of whether they opt out of having their information sold.

Businesses subject to CCPA compliance requirements

CCPA applies to any for-profit entity conducting business in California that collects, shares or sells the personal data of California consumers and meets at least one of the following criteria:

  • generates annual revenues in excess of $25 million;
  • possesses the personal information of 50,000 or more consumers, households or devices; or
  • earns more than half its annual revenue from selling consumers' personal information.

CCPA does not apply only to businesses based in California. Even if a company is based in another U.S. state or another country but serves California residents and meets the criteria above, the company is still subject to compliance.

Penalties for noncompliance

The penalties for violating CCPA make it imperative to deploy the appropriate privacy controls. California can fine companies up to $750 for each individual violation of a consumer's private information. For any violation deemed intentional, the state has the right to increase fines to as much as $7,500 per violation.

If the company leaders take risk management seriously, they will find a way to meet the letter of the law for CCPA.

If a database of 10,000 consumers is mishandled, for example, the company is looking at a penalty of at least $7.5 million. But, if the company has already implemented a strong IT risk management program, it is more than likely on the path to complying. If the company already complies with GDPR, there may be just a couple of privacy controls to tweak. The bottom line: If the company leaders take risk management seriously, they will find a way to meet the letter of the law for CCPA.

Controls for achieving privacy compliance

As a starting point, the key to CCPA compliance is found in these steps:

  1. Map existing security and privacy controls to the CCPA requirements.
  2. Identify any gaps.
  3. Devise a plan to close those gaps.
  4. Follow up with an assessment -- preferably by an independent auditor -- to validate CCPA compliance.

Hopefully, the company won't have to start from scratch, in which case it would need to allocate a team of internal resources and invest in new processes and technologies to comply with CCPA. A project like this could easily add up to billions for all the companies across the globe that conduct business with California customers.

Assuming the organization already has a strong IT security posture and a solid risk management program, here's a quick rundown of the major privacy controls that might need to be added in order to comply with CCPA:

  • Data transparency/openness. Implement policies, procedures and technologies directly affecting consumers and their personal information that are open and transparent. This includes developing an easy-to-read privacy notice.
  • Consumer responsiveness. Establish timelines and methods with which to respond to consumer requests for their information, to change information and to delete it.
  • Nondiscrimination. Ensure that consumers are not discriminated against if they chose to opt out of sharing information.
  • Impact assessment. Establish a privacy impact assessment process, and perform impact assessments as necessary.
  • Third-party requirements. Ensure that third-party recipients of personal information provide at least equivalent levels of personal information protection and that they are legally obligated to do so.
  • Monitoring and auditing. Monitor and audit personal information protection controls and the effectiveness of the internal personal information protection policy.
  • Awareness training. Provide suitable awareness training for company personnel who will have access to personal information of consumers.

The controls listed above can serve as a starting point for companies beginning their journey to CCPA compliance. It's important to work with a compliance expert who can delve into the specific CCPA compliance requirements that apply to the company's data environment. An expert can assist with understanding exactly how much is in scope for CCPA, along with how and where to apply the controls in the most effective and efficient manner possible.

CCPA consumer rights

More state laws in the works

Although CCPA is still fairly new, it's best to start assessing where the company stands in relation to these controls. While there is a movement at the federal level to enact nationwide privacy laws in the U.S., it appears to have stalled. Meanwhile, many states are in the process of enacting privacy laws similar to CCPA. It's only a matter of time before these laws impact companies of all sizes conducting business in almost every state across the U.S.

About the author

Anne Kimbol serves as assistant general counsel and chief privacy officer for HITRUST. Using her expertise, she provides strategic advice to the C-suite on privacy-related issues, including advising on best practices, compliance with U.S. law, state privacy laws and the European Union's GDPR. In her role as assistant general counsel, Kimbol is responsible for assisting the chief legal officer and contracts manager on contractual issues with clients and vendors. She is also responsible for formulating and implementing HITRUST's privacy policy and strategy, ensuring that internal privacy practices and processes operate in conjunction with the information security and operations personnel. Kimbol leads the organization in monitoring public policy and privacy issues from the state or federal level, as well as internationally. She also identifies key international programs in HITRUST's areas of expertise, including privacy and broader data protection issues. Kimbol is recognized by the International Association of Privacy Professionals as a Fellow of Information Privacy.

Dig Deeper on Compliance

Enterprise Desktop
Cloud Computing