One of the biggest challenges with complying with data privacy regulations like the California Consumer Privacy Act (CCPA) is simply knowing where to start.
The law has so many individual requirements that step one is pretty unclear—worse, many of these requirements can’t be effectively met until you’ve established a foundation for compliance first.
One way to establish a foundation is to follow a CCPA compliance checklist. In this article, we will delve into the basics of CCPA, explore its key principles, and outline the essential steps to achieve compliance.
The California Consumer Privacy Act (CCPA) gives California residents control and protection over their personal information by providing them with rights and assigning the businesses that process their data certain responsibilities.
The act grants consumers:
Under the CCPA, businesses are required to provide clear and conspicuous notices to consumers about their data collection and sharing practices. They must also implement reasonable security measures to safeguard personal information and obtain explicit consent before collecting or selling sensitive information, such as financial or health data.
The CCPA applies to any for-profit business that collects, shares, or sells the personal information of California residents—but only if that business meets certain thresholds first. It doesn't matter if the business is based in California or operates outside the state; as long as it meets the criteria, it must comply with the CCPA.
Specifically, the CCPA applies to businesses that meet at least one of the following:
The law applies to a wide range of businesses, including retailers, service providers, online platforms, and even companies that do not have a physical presence in California but conduct business within the state. It covers both online and offline activities, ensuring that all businesses that handle the personal information of California residents are held accountable.
So, if you’re subject to the CCPA and are found to be noncompliant, what happens?
Well, the state attorney general and the California Privacy Protection Agency have the right to levy fines against noncompliant businesses, including:
Each instance of improperly handled personal information counts as a violation, so these fines can quickly balloon to a serious level that has numbered in the millions of dollars in the past.
Now that the key principles of CCPA are clear, let's move on to the steps you need to take to achieve compliance.
Start by conducting a comprehensive data inventory and mapping exercise. This involves identifying all the personal information your business collects, where it is stored, how it is used, and who it is shared with. Personal information includes any information that identifies, relates to, describes, or is capable of being associated with a particular individual.
During the audit, consider all possible sources of personal information, including customer databases, website analytics, and third-party vendors. It is important to document and categorize the types of personal information collected, such as names, email addresses, phone numbers, and financial data.
Mapping your data flows will help you:
Ultimately, mapping your data serves as the foundation for all your downstream compliance activities.
To comply with the CCPA, businesses must implement reasonable security measures to safeguard personal information. Specifically, Section 1798.100 of the law (“General Duties of Businesses that Collect Personal Information”) states that:
A business that collects a consumer’s personal information shall implement reasonable security procedures and practices appropriate to the nature of the personal information to protect the personal information from unauthorized or illegal access, destruction, use, modification, or disclosure.
This doesn’t exactly give specific guidance about what “security procedures and practices” need to be implemented. That’s why it’s important to have a data security expert on your team who can implement security best practices, such as meeting SOC 2 standards.
One clear requirement in the CCPA is the need to protect personal information at an “appropriate” level based on its nature—that means businesses need to apply a higher standard of security around the sensitive personal information they process. If you effectively mapped your data in step one, then you’ll know where to apply this higher standard.
A robust privacy policy is essential for CCPA compliance. The policy should clearly and accurately outline how your business collects, uses, and shares personal information as well as the rights of consumers under the CCPA.
If you’ve just started working toward CCPA compliance, you may not have all of this information at hand yet. For instance, you may not have implemented a means of handling subject rights requests. The reality is that your privacy policy should be a living document; as your compliance operations change in your organization, it will need to change as well. As you further develop your privacy program, remember to update your policy correspondingly. A helpful perspective to adopt is that a compliance activity can’t be considered “done” unless you’ve assessed whether it must be reflected in your privacy policy.
Under the CCPA, consumers and employees have the right to:
Businesses need to make it easy for consumers to exercise these rights, such as through a DSAR form, toll-free phone number, and/or an email address. What’s more, requests need to be fulfilled within 45 days. Businesses can request an extension of up to 90 days, but they must prove that the request is of a particularly high volume or complexity first.
When handling consumer requests, businesses should have a system in place to authenticate and verify the identity of the requester. This is crucial to prevent unauthorized access to personal information—especially if sensitive personal information is involved.
It is also important to document and track all consumer requests and the actions taken to fulfill them. This can help demonstrate compliance in the event of an audit or regulatory inquiry.
It’s fairly rare these days for a business to process personal information without sending some of it to another organization, whether that’s a partner, vendor, or another entity. To ensure these other organizations continue to give consumer data the protection it deserves, the CCPA requires businesses to add data processing addenda to their contracts with vendors.
There are actually three entities under the CCPA we need to be aware of:
Only service providers and contractors need data processing addenda under the CCPA. The important thing to know is that the personal data you share with service providers and contractors who have these contractual provisions in place is exempt from consumer opt-out requests. The idea here is that service providers and contractors are likely providing critical business functions necessary to your operations, as opposed to, say, targeted advertising delivered by a third party.
Essentially, the addendum ensures that your service provider or contractor can only use your consumers’ data for a specific purpose, must delete that data once that purpose has been met, must implement certain security measures, and so on.
Unfortunately, there is no prescribed format for a data processing addendum, so you’ll need to work with legal counsel to determine what your preferred language should be.
The CCPA requires you to provide consumers with two links:
The “Limit the Use of My Sensitive Personal Information” link functions in a similar way but is stricter. Not only must you cease any transfers of sensitive personal information, but you may only use sensitive personal information if it's necessary for delivering your core product or service and a way that a consumer would reasonably expect.
Lastly, the California Privacy Protection Agency has clarified that businesses must also accept universal opt-out signals, like the Global Privacy Control. These technologies propagate a visitor’s consent preferences in advance so that they don’t have to interact with a cookie banner or make an opt-out request to communicate their preferences.
It can be tempting to think of data privacy compliance as a one-and-done activity, but the reality is that compliance is an ongoing process. Your organization and the way your organization processes personal data will change over time. It’s essential that you:
Attending to all of these requirements at once can be exhausting, especially if you rely on manual, time-consuming processes to carry out your compliance activities. Businesses that rely on Osano for their data mapping, consent management, DSAR workflow, and other difficult but highly automatable compliance requirements regain much-needed time to maintain their CCPA compliance status.
Schedule a demo to find out how Osano can support your compliance with the CCPA and beyond.