July 3, 2019
The California Consumer Privacy Act of 2018 (CCPA) is a sweeping change to existing privacy laws in the United States as it gives consumers broad rights to access and control their personal information. These rights include the consumer’s ability to control how their information is collected, used, sold, and disclosed.
In order to be in compliance with the CCPA, businesses and organizations must know what personal information they collect from consumers, what purposes they use it for, how that information is shared, and with whom it is shared. They also must be able to promptly disclose this information to the consumer when requested. The duties placed on businesses under the CCPA create questions about how these organizations will be able to comply with the new privacy requirements.
CCPA assessment vendors act similarly to auditors in other industries. They will generally have ample experience in working with other organizations as they perform data privacy assessments to ensure compliance with the CCPA and other privacy laws. As a result, CCPA assessment vendors can utilize their experiences with other companies to inform their efforts as they assist businesses in complying with the new CCPA requirements. This experience can help guide a CCPA assessment to ensure that a business:
- is aware of what personal information is being collected by the organization;
- understands the scope of the information collected, how it is used, if it is sold, and how it is shared;
- reviews and updates policies and procedures about the scope and purpose of the collection of personal information;
- updates its internal and online privacy policies to comply with the disclosure requirements of the CCPA;
- has proper policies and procedures in place to promptly respond to consumer requests to access or delete their personal information, as well as to respond to requests for information relating to the sale or disclosure of the consumer’s information;
- implements appropriate technological solutions that will categorize and map the consumer’s personal information in a way that will allow the organization to accurately respond to consumer requests, including requests for a consumer to opt-out of the sale of their personal information;
- develops a proper training program and adequately trains the people in the organization about handling personal information, especially personnel responsible for handling inquiries about consumer personal information;
- reviews contracts with third parties and service providers that personal information is provided to by the business;
- has appropriate risk management policies and procedures for third parties that have access to consumer personal information provided by the business; and
- conducts data privacy audits on service providers who have access to consumer personal information to ensure compliance with the CCPA.
Compliance with the CCPA is going to require organizations to perform a thorough review of their policies on handling and using consumer personal information. This process may be complex and unfamiliar to many organizations but compliance will still be required as organizations are exposed to fines from state regulators. Relying on the data privacy assessment experience of vendors specialized in this area can minimize the risk of non-compliance to the organization and can ensure that the company is ready to respond to consumer requests by January 1, 2020. Companies can also do internal checks as they go through the steps of creating CCPA-required documentation and data mapping.
Click here to see how SixFifty can help your company fulfill its CCPA compliance obligations.
***DISCLAIMER: This publication has been prepared by SixFifty, LLC to provide information of interest to our readers regarding the California Consumer Privacy Act. It is not intended to provide legal advice for a specific situation or to create an attorney-client relationship. SixFifty, LLC does not provide legal advice.***