Tip

Use this CCPA compliance checklist to get up to speed

California leads the pack in terms of state regulations on data privacy and transparency. Now, it's time for businesses to be proactive with this CCPA compliance checklist.

The California Consumer Privacy Act is here. Businesses around the nation must now take action to protect new legal privacy rights granted to California residents. As with any new compliance regime, dotting the i's and crossing the t's for CCPA requires a careful review of business practices. Now that the dust is settling on initial compliance efforts, many organizations find themselves at the perfect point to assess the effectiveness of their CCPA controls.

While it technically applies only to California residents, CCPA is likely to spark a wave of similar legislation in other states. California was the first state to introduce a data breach notification law in 2002. Today, nearly two decades later, there are similar laws on the books in every state. With this trend in mind, businesses should expect to scale these responses to their operations nationwide.

Organizations should consider the following when determining their current CCPA compliance status.

Accurately determine the scope of compliance

If an organization has not yet begun CCPA compliance efforts, believing it is outside the scope of compliance, make sure this assumption is valid. CCPA applies to most for-profit organizations that do business in the state of California and collect the personal information of California residents. Note, CCPA does exempt businesses with less than $25 million in revenue that handle data for less than 50,000 consumers and derive less than half their revenue from selling personal information.

A checklist to help ensure CCPA compliance

Map all CCPA-covered data elements

CCPA includes broad requirements that cover almost all personally identifiable information (PII). To remain compliant, organizations should conduct accurate mapping to understand where PII is located.

Conduct mandatory CCPA training

Businesses covered by CCPA are required to train employees who handle customer inquiries on the businesses' obligations under CCPA. This training must include procedures for responding to customer inquiries about exercising their privacy rights.

Match privacy policy to CCPA requirements

CCPA-compliant privacy policies need to be updated by businesses on an annual basis. The updated privacy policy notice must include a description of consumers' rights under CCPA. It must also include procedures for consumers to follow to exercise those rights. The notice should also list the categories of PII the business collects, as well as those it sells or discloses to third parties.

Description of California residents' privacy rights
California residents' privacy rights may inspire similar state or federal legislation.

Implement mechanisms to handle consumer privacy requests

CCPA grants consumers the right to access the personal information a business has collected about them. Under some circumstances, they may request that the business delete that information. Responses to these requests must be timely and occur within 45 to 90 days. The business must also provide data in a readily usable format.

Simplify consumer privacy request mechanisms

Many businesses are seeing an influx of CCPA requests from consumers exercising their new rights. While this initial flood of requests may not be representative of the number of requests that businesses will receive on an ongoing basis, the CCPA process is not going to go away. With a few months of experience under their belts, businesses should examine the processes they have in place to handle these requests and see if they can reduce costs by streamlining and automating responses to consumers.

Dig Deeper on Compliance