Earthquakes aren’t the only things shaking up California: the California Consumer Privacy Act (CCPA) will take effect in about two months and everyone from sales consultants to compliance experts have been weighing in on how to get CCPA compliant. Even my parents discussed the pros and cons of CCPA at the dinner table.
Many pixels have been created and much ink has been spilled around this topic. Redundant articles (e.g. “Everything You Need to Know About CCPA”) and fear-mongering clickbait (e.g. “This 1 CCPA Trap Will Land You in Gitmo”) abound, so we’ll spare you the hyperbole with these five must-dos that will help you become CCPA compliant:
1) Map Where You’re Getting Data From and Where It’s Going
Map out all data that comes and goes through the internal and external tools your company uses. Then, assess whether you’re collecting personal data (defined under the CCPA as data that’s linked to individual persons, households, and devices) and then tie them back to the parts of your business that are using that data (e.g. customer email lists) and whether you’re selling that data. All of this will inform what sections of the CCPA you have to be compliant with.
Note that as part of your data mapping work, you’ll need to put reporting systems and processes in place to determine how much personal data you have on Californians and the amount of revenue generated from that data. And if you’re wondering about revenue amounts under CCPA, businesses in California that 1) generate over $25 million in annual gross revenue, 2) get at least half their annual revenue from selling customers’ personal information (here’s looking at you Facebook, Google, and the DMV, to name some of the usual suspects), or buy, sell, or share personally identifiable information (PII) data of at least 50,000 people, households, or devices.
2) Trust but Verify Your Vendors
At risk of stating the obvious, auditing your vendors and partners on their CCPA compliance efforts (and more broadly, their InfoSec and privacy posture) will go a long way towards avoiding PR nightmares and fines. You can use SaaS tools like the Tugboat platform to assess and track your vendors’ security and compliance stance, or if you prefer the ole fashioned low-tech way of tracking things in spreadsheets and Word docs, then you could email customers the following questions and track their responses in a spreadsheet:
- What data protection and privacy safeguards are in place for your systems and apps?
- Have you been certified by third-party assessors to demonstrate that the proper security- and privacy-related systems, controls, and policies are in place?
You can also use these questions to assess your business and document (if you haven’t already) everything you’ve been doing to get CCPA compliant.
3) Encrypt Your Data
4) Store and Track All Records of Consent
Remember Must-Do #1 (see above)?
Well, under CCPA, Must-Do #1 is necessary, because every child whose personal data you’ve collected must give you explicit permission to sell their data (why companies would collect children’s PII data is eyebrow-raising, not to mention vomit-inducing). Also, you must get a record of consent from the parents or guardians of children under the age of 13.
And when it comes to adults’ data, you need to keep a record of all opt-out requests and you can’t invite people to opt back in for 12 months after they’ve opted out (here’s looking at you recruiting agencies). Definitely document each person’s opt-out and the date they requested the opt-out or opted out of your business’s services and or products.
Note: This is similar to the GDPR’s requirements.
5) Update Your Website to Include the Following…
These are all easy no-brainers to implement on your end:
- Ensure that your right-to-access request policy is clear as day. If people want their data that you’ve collected, you have to give it to them. Don’t Rickroll them, don’t pretend that they’ll get it, and please don’t make people jump through endless legalese and gaslighting-esque questions asking: “Are you really sure you don’t want to not have your data that you think is yours back?”
- Make sure a “Do Not Sell My Personal Information” link very visible and accessible on your website.
- Create and display policy stating that you’ll ask users or customers for their personal data and ask for their consent from their parents or guardians if they’re 16 or under.
6) Bonus: Get CCPA Compliant With a Checklist That Tells You What You Need to Know and Implement Without Legalese, Fear Mongering or Hype
The checklist has CCPA guidelines and considerations for your business, and recommendations for policies and processes to implement. It should help you get CCPA compliant fast, without any unnecessary headaches.