What is the California Consumer Privacy Act (CCPA)?

The California Consumer Privacy Act (CCPA) is a California state law that took effect on January 1st, 2020, and enhances the privacy rights of California residents. It regulates what businesses are allowed to do with the personal information they collect and aims to put data rights back into the hands of their customers. 

Under the CCPA, California consumers are now allowed to ask how their data is being used as well as have a say in which third parties have access to their data. The CCPA hosts a number of similarities to Europe’s GDPR and it is one of the most far-reaching data protection laws in the United States. In fact, the CCPA extends far beyond California and applies to any for-profit business that meets a certain threshold in size and revenue, collects California residents’ personal information, or does any business in the state. 

With so many businesses that may be held accountable to the CCPA, it’s time for organizations to start learning the standards. 

The CCPA Compliance Checklist

Understanding the CCPA and the rules and regulations an organization must comply with can feel overwhelming. However, with a simple checklist, you may realize that you already have some steps or initiatives underway. And if you don’t, this checklist will help your organization get on track. 

We will go into each step in more detail, but in general, the following should be followed:

  • Find Out if the CCPA Applies to Your Business
  • Establish Accountability Within Your Organization 
  • Conduct a Detailed Gap Analysis
  • Map Data Flows and Create a Personal Information Inventory
  • Develop Organizational Procedures, Protocols, and Processes 
  • Provide Compliance Training for Employees
  • Implement Technical and Safety Measures to Protect Personal Information

1. Find out if the CCPA applies to your business

First, figure out if the CCPA applies to your business or organization. The CCPA applies to any for-profit organization that does business in California. Additionally, it applies to businesses that:

  • Have a gross annual revenue in excess of $25 million.
  • Derive 50% or more of their annual revenue from selling consumers’ personal information. 
  • Annually buy, receive, or share for commercial purposes or sell personal information of 50,000 or more consumers, devices, or households. 

If you are unsure about any of the above or if it applies to your organization, it is always best to comply just to be safe. 

2. Establish accountability within your organization

Complying with the CCPA will require support from top-level management. Your organization’s board should understand the law to the best of their ability as well and the implications of not complying with the CCPA, such as loss of consumer trust and a tarnished reputation. 

We recommend starting these conversations with upper management as soon as possible so that you can get the support and resources you need to achieve long-term results. It is also a good idea to hire and assign key roles for CCPA compliance like a Data Protection Officer (DPO) who can continuously monitor and measure data security risks across your organization. 

3. Conduct a detailed gap analysis

Conducting a CCPA gap analysis will help you understand what current practices are meeting CCPA requirements and which ones need to be revised. This gap analysis should cover all areas of your business from governance, risk management, roles and responsibilities, training procedures, and privacy protocols. 

Take the time to review the CCPA and understand its rules and regulations which can be found here. Some specific things you’ll want to include in your gap analysis are any existing privacy protocols your company has in place, an analysis of where your company is currently maintaining compliance and where they are not, as well as detailed instructions on how your company will take steps to achieve greater compliance. By doing so, your business can proactively identify data privacy risks and mitigate them. 

4. Map organizational data and create a Personal Information Inventory

It’s important to get a comprehensive look at all the Personally identifiable information (PII) in your organization, where it is stored and how it is used. This should be a thorough search across all your networks and devices, not just where you think that data resides. 

Assess the categories of personal information your organization contains as well as the business or commercial purpose for storing it. PII consists of any data that can be used to identify someone. 

Examples include:

  • Home address
  • Names
  • Employment Records
  • Email and IP Addresses
  • Passports Numbers
  • Drivers License

5. Develop organizational procedures, protocols, and processes 

After mapping out how personal data flows through your organization, you will need to review any existing policies, protocols, or procedures you have in regard to data protection. You may need to revise existing procedures and update your website and company materials to reflect these changes. 

In particular, you will need to see if your PII protection policies are in line with the CCPA, including notices for opt-out and opt-in rights. You’ll want to plan how to respond to requests from consumers who are requesting to access or delete their personal information. Make sure any and all protocols are documented in a safe, secure space that appropriate employees can refer to if needed. 

6. Provide compliance training for employees

You can’t expect your employees to be experts on compliance without the appropriate training. You’ll want to ensure that the employees who are responsible for handling customer inquiries regarding privacy rights and those who have access to the personal data stored on your computers, servers, and cloud are aware of the CCPA requirements and the privacy protocols your company has in place. Offer training sessions for those who need it and send out information on any changes that are made to the CCPA as time goes on.

7. Implement technical and safety measures to protect personal information 

Having appropriate safety measures in place to secure the personal information your organization contains is critical in maintaining compliance. Not only should you have a security policy in place, but encryption and de-identification methods should be used when appropriate. We also recommend utilizing data discovery software. With something like a PII Scanning Tool, your organization can be efficient in identifying all of the data stored on your computers, servers, and cloud and begin to take the appropriate steps towards maintaining CCPA compliance. 

Maintain CCPA Compliance with Ground Labs

While the CCPA may only be based in one state, its implications are far-reaching and will affect millions of customers across the country. As a reputable business, it’s important to familiarize yourself with the regulations set forth by the CCPA and ensure that you are safeguarding your customers’ data in the best way possible.

One way to start doing so is through data discovery. Ground Labs’ powerful data discovery software Enterprise Recon is able to detect over 300 types of structured and unstructured data, including CCPA-specific PII patterns. With the ability to map data across networks, servers, and platforms and demonstrate CCPA compliance with custom reporting, your organization can proactively prepare for any data security challenge that comes your way.

Ready to learn more about how to maintain CCPA compliance? Schedule a demo today.

Related Resources:

Want to keep up with all our blog posts? Subscribe to our newsletter!

Subscribe