real time web analytics
Blogs

CYA on CCPA: Must-Do's Before 1/1/20

Victor
2019-10-247 min read
Industry News
Regulations
InfoSec Best Practices

Earthquakes aren't the only things shaking up California: the California Consumer Privacy Act (CCPA) will take effect in about two months on Jan 1, 2020, and everyone from sales consultants to compliance experts has been weighing in (even my parents discussed the pros / cons of the CCPA at the dinner table). Many pixels have been created and much ink has been spilled around this topic. Redundant articles (e.g. "Everything You Need to Know About CCPA") and fear-mongering clickbait (e.g. "This 1 CCPA Trap Will Land You in Gitmo") abound, so we'll spare you the hyperbole with these five must-dos that will help you become CCPA compliant:

1) Know where the proverbial dead bodies are buried: Map where you're getting data from and where it's going

Map out all of the data that comes and goes through all of the internal (e.g. homegrown timesheet software) and external tools (e.g. marketing automation software, CMS) your company uses. Then, assess whether you're collecting personal data (defined under the CCPA as data that's linked to individual persons, households, and devices) and then tie them back to the parts of your business that are using that data (e.g. customer email lists) and whether you're selling that data. All of this will inform what sections of the CCPA you have to be compliant with. Note that as part of your data mapping work, you'll need to put reporting systems and processes in place to determine how much personal data you have on Californians and the amount of revenue generated from that data. And if you're wondering about revenue amounts under CCPA, businesses in California that 1) generate over $25 million in annual gross revenue, 2) get at least half their annual revenue from selling customers' personal information (here's looking at you Facebook, Google, and the DMV, to name some of the usual suspects), or buy, sell, or share personally identifiable information (PII) data of at least 50,000 people, households, or devices.

2) CYA: Trust, but verify, your vendors and partners actually support your CCPA compliance efforts

At risk of stating the obvious, auditing your vendors and partners on their CCPA compliance efforts (and more broadly, their infosec and privacy posture) will go a long way towards avoiding PR nightmares and fines. You can use SaaS tools like the Tugboat platform to assess and track your vendors' security and compliance stance, or if you prefer the ol' fashioned low-tech way of tracking things in spreadsheets and Word docs, then you could email customers the following questions and track their responses in a spreadsheet:
Have you updated your privacy policy and terms of service to reflect CCPA requirements? Can you please show that it's been updated?
What data protection and privacy safeguards are in place for your systems and apps?
Have you been certified by third-party assessors to demonstrate that the proper security- and privacy-related systems, controls, and policies are in place?

You can also use these questions to assess your business and document (if you haven't already) everything you have been doing from a CCPA compliance standpoint, and the things you are working on between now and Jan 1, 2020.

3) Encrypt, encrypt, and encrypt your data

'nuff said.

4) Store and track all records of consent

Remember Must-Do #1 (see above)? Well, under CCPA, Must-Do #1 is necessary because every child whose personal data you've collected must give you explicit permission to sell their data (why companies would collect children's PII data is eyebrow-raising, not to mention vomit-inducing). Also, you must get a record of consent from the parents / guardians of children under the age of 13. And when it comes to adults' data, you need to keep a record of all opt-out requests and you cannot invite people to opt back in for 12 months after they've opted out (here's looking at you recruiting agencies). Definitely document each person's opt-out and the date they requested the opt-out / opted out of your business's services and or products. Note this is similar to the GDPR's requirements.

5) Update your website to include the following

This are all easy no-brainers to implement on your end:

1) Ensure your website and product's privacy policy spells out what personal data you collect and why you collect it, in addition to what you do with that data (i.e. how you process it) and how you verify the identity of the person who has requested their data.
2) Ensure that your right-to-access request policy is clear as day: if people want their data that you've collected, you have to give it to them. Don't Rickroll them, don't pretend that they'll get it, and please don't make people jump through endless legalese and gaslighting-esque questions asking "Are you really sure you don't want to not have your data that you think is yours back?"
3) Make sure a Do Not Sell My Personal Information is link very visible and accessible on your website.
4) Create and display policy stating that you'll ask users / customers for their personal data and ask for their consent from their parents / guardians if they're 16 or under.

6) Bonus: Get the CCPA checklist that tells you what you need to know and implement without legalese, fear mongering or hype

The checklist has CCPA guidelines and considerations for your business, and recommendations for policies and processes to implement. Here's where you can download the checklist.
TUGBOAT LOGIC INC. © 2019 - BURLINGAME, CA, USA
,