Key Steps to CCPA Compliance Solution for Your Firm

CCPA Compliance Solution - Mandatly Inc.

CCPA

The California Consumer Privacy Act (CCPA) is the first state-wide data privacy regulation that governs the processing and sale of personal information of California residents by the organizations.

It came into force with effect from 1st of January 2020. It is the first of its kind and the most recent cookie law passed by the State of California in response to the increased role of personal data in business practices and privacy implications.

This statue intents to enhance the consumer rights in the privacy world along with providing them the insights of the use of their personal information. The bill was passed by the California State Legislature and signed into law by Jerry Brown, Governor of California, on June 28, 2018, to amend Part 4 of Division 3 of the California Civil Code.

Your 8 Steps to Become CCPA Compliant

If an organization has implemented the GDPR program, it should be ready to implement some extra steps for CCPA. If not, we have put together all the important steps to comply with CCPA.

Step 1

CCPA applicability on you

The CCPA protects any natural person who is a California resident. Natural person here means individual human being as opposed to legal person which also includes private businesses or public governments.

The law provides California consumers with a right to know the personal information is collected about them, they can also ask for the copy of the same or they can even ask to opt out of that information being sold.

They can also sue any organization for data breach affecting their personal information.

You can check whether you fall under the scope of CCPA by using these criteria:

Section 1798.140(c) Businesses are obligated to take steps to comply with the consumers’ rights if the businesses collect personal information from California and do business in the state (whether they have a physical presence in California or not) if any of the following three additional thresholds apply. That is, the business:

  1. Has annual gross revenues more than twenty-five million dollars ($25,000,000); or
  2. Alone or in combination, annually buys, receives for the business’s commercial purposes, sells, or shares for commercial purposes, alone or in combination, the personal information of 50,000 or more consumers, households, or devices; or
  3. Derives 50% or more of its annual revenues from selling consumers’ personal information.

Your first step is to identify if the law affects you. There are many defenses available including information subject to the Gramm-Leach-Bliley Act (GLBA).

All the grey areas of various such regulations are covered under this Act. For example: Financial institutions should keep in mind, that the CCPA is much broader than the GLBA. There will be types of personal information not covered by the GLBA, such as data obtained through webpage tracking, which will now fall under CCPA protection.

Step 2

Perform Data Mapping and build Data Inventory

Once you make sure that the CCPA applies to your organization, your next step is to begin mapping the customer data you collect.

There are multiple streams from where the data enters the pipelines of your organization’s system, it is very important to understand the source, destination, usage, etc. so that you can better organize, access, analyze or protect it. Without an accurate and transparent inventory, it is quite challenging to identify and mitigate any underlying risk, which in turn makes it more difficult to identify the controls required to protect your valuable information assets.

An easy way out is to start answering these few questions:

  • What personal data do you currently collect?
  • What are your methods for data collection?
  • Where and how do you store this data?
  • Do you share the data you collect? If so, with whom?
  • Do you sell the data, provide in exchange for a service, or used for a different purpose?

Perform a data inventory, so you have an auditable record of your data flows across your enterprise, like a data roadmap.

Step 3

Perform Data Protection Impact Assessment/Privacy Impact Assessment (DPIA/PIA)

Perform a risk assessment of the various data flows identified in the inventory and measure your data practices. Many organizations are not aware of the data they own, the scope or where is data located. By getting a proper insight and understanding of your data and its associated risks, it’ll be much easier to get a good sense of impact in the context of CCPA.

Bundled with intelligence to uncover and mitigate the privacy risks associated with the processing of personal data.

A DPIA is a process designed to help you systematically analyze, identify, and minimize the data protection risks of a project or plan. It is a key part of your accountability obligations under the GDPR, and when done properly helps you assess and demonstrate how you comply with all your data protection obligations.

Step 4

Identify high risk or sensitive personal information

Determine high-risk processing activities for information pertaining to financial, healthcare, or children’s records.

Step 5

Take actions to mitigate the risks identified

Mitigate the identified risks in the various phases of the privacy program through technical and security measures, governance, and vendor management.

  • By irreversibly masking personally identifiable information, this data becomes de-identified and is no longer considered personal information under CCPA or GDPR.
  • Also make sure vendors protect their data and follow the CCPA requirements. There is certain verbiage that needs to be in your vendor contract to shift liability to them for their failure to comply with the CCPA. Lastly, train everyone in your company who collects personal information.
Step 6

Decide How to Handle Customer Requests

Your organization should be able to receive and respond to the consumer requests. You must have a step-by-step procedure in place that dictates how your teams will handle these inquiries.

CCPA requests must be answered within 45 days and free of charge.

Work with your in-house personnel to decide how you will provide these types of services:

  • Provide copies of personal information on consumer requests
  • Delete the personal information on consumer requests
  • Opt-out of sale of personal information on consumer requests
  • Explain what categories of personal information your company sells
Step 7

Provide training

Write down all the steps required under CCPA and in addition to recording them, you should also make sure your teams, especially those in public-facing roles, know how to respond.

Step 8

Review Analytics

Maintain an auditable record of your privacy program by keeping track of all the phases. You can use this in future to benchmark for the upcoming year or apply this to new lines of business that will help you easily update the phases that are necessary.

Audit data analytics involves the analysis of complete sets of data to identify anomalies and trends for further investigation, as well as to provide audit evidence.

How Mandatly Helps?

  • Data Inventory and Mapping: Gain visibility into personal data you have collected, retained, and processed by centralizing all your system and processing activities and keep data inventory up to date for “lookback” and fulfill subject access requests.
  • PIA/DPIA: Perform risk assessment with Mandatly compliance software solution which offers pre-defined templates, relevant workflows and automatic assessment of the risk and impacts of risk-informed decision making with records of every action performed during the assessment process.
  • DSAR Management: Our DSAR solution automates your Data Subject Request process to gain efficiency and saves your time and resources.
  • Accountability and Governance: We provide pre-defined roles and responsibilities to handle the privacy procedure with utmost accuracy and accountability.
  • Reporting: We offer a reporting feature built into the system to get a holistic view of the compliance program for different stakeholders.
Achieve CCPA Compliance using Mandatly Privacy Compliance Software Solution. Use Cookie Consent Solution, DSAR, Data Inventory and Mapping - Mandatly Inc.

Related Blogs

Cookie Consent Solutions for GDPR & CCPA Compliance20240708043627

Cookie Consent Solutions for GDPR & CCPA Compliance

The Role of Cookie Consent Solutions in GDPR and CCPA ComplianceIn today's digital landscape, data privacy regulations like t...
Data Mapping Requirement for CPRA & CCPA Compliance20240501045009

Data Mapping Requirement for CPRA & CCPA Compliance

Data Mapping Requirement for CPRA & CCPA ComplianceWhat are the CPRA Data Mapping Requirements?The California Consumer Pr...
Difference between CDPA, CCPA, CPRA and CPA20210722111718

Difference between CDPA, CCPA, CPRA and CPA

Difference between CDPA, CCPA, CPRA and CPAUnderstanding CDPA, CPA, CCPA & CPRAOn March 2, 2021, Governor Ralph Northam s...
CDPA, CCPA and CPRA : Key Difference & Similarities20210705113837

CDPA, CCPA and CPRA : Key Difference & Similarities

CDPA, CCPA and CPRA : Key DifferencesAll About California’s CDPA, CPRA VS CCPAOn March 2, 2021, Governor Ralph Northam signed...
What is California Consumer Privacy Act?20210601090127

What is California Consumer Privacy Act?

What is California Consumer Privacy Act?The California Consumer Privacy Act (CCPA) is a state-wide data privacy law that regu...
GDPR vs CCPA: Key Differences and Similarities20200227094616

GDPR vs CCPA: Key Differences and Similarities

GDPR vs CCPA: Key Differences and SimilaritiesAbout GDPR and CCPAData privacy law has rapidly emerged as a focal point for bo...