'Most Innovative Startup 2020' by RSA - Watch the videoLearn More
Published on May 24, 2021 AUTHOR PRIVACY RESEARCH TEAM
The California Consumer Privacy Act (CCPA) is well into effect and many organizations are fully compliant yet with the law. We have put together a checklist that organizations can use to see if they are currently compliant with the law.
The CCPA applies to organizations serving Californians, and that:
Organizations that meet criteria are required to comply with CCPA and will be held accountable in the case of non-compliance.
Under the CCPA's right to be informed, organizations will need to disclose personal information they collect with their owners. This disclosure is in two stages with different requirements for each.
Notice Before the Point of Collection
Privacy Notice/ Policy
Keeping the consumer informed is not the only thing organizations need to be aware of under the CCPA. Organizations need to make sure that the information they sell is according to the requirements of the CCPA. These requirements include:
CCPA gives consumers the right to request access to any information held by organizations on the individual. Consequently, organizations are required to ensure the following solutions are available to their customers:
As per the CCPA, the following information must be provided in an access request:
The right to access is one of the toughest articles for businesses to comply with because organizations need to track the location of every consumer’s personal information in all on-premises and multicloud data systems. To meet this requirement, businesses need to identify personal and sensitive data solutions to help them ensure compliance with the CCPA.
CCPA not only gives individuals the right to access their information but also the right to request complete deletion of their data. The CCPA also allows consumers to request deletion of their data. If an organization receives a valid, verified request from a consumer, it must ensure the consumer’s data is deleted. To fulfill this request, organizations need to do the following:
A consumer can send in a request to the business to delete their personal information and covered businesses would have to comply if the PI is not required for:
The CCPA grants aggrieved consumers the right to bring private lawsuits against an organization that has had a data breach, due to lax security measures, in which their personal data was compromised. The damages granted in lawsuits can start from $100 and go up to $750 per individual.
Organizations are therefore required to implement a robust cybersecurity framework to protect themselves from litigation. In case of a data breach where the organization does not have reasonable procedures in effect to maintain the confidentiality of their consumers’ personal information, they will be facing the prospect of damages that could easily reach over $1 million if more than 10,000 people are impacted.
The law does not specifically mention the procedures which are deemed reasonable.
In 2016 the AG of California released a report on Data Breaches and defined reasonable security measures to mean the implementation of 20 controls listed in the Center for Internet Security’s (CIS) Critical Security Controls, to identify the minimum level of information security that all organizations that collect or maintain personal information should meet and that an organization’s failure to implement all of the controls constitutes a lack of reasonable security.
The 20 controls are:
The CCPA requires that compliance professionals who handle consumer inquiries be trained on all the rights granted to consumers (this can be done through the help of online courses and training modules to give your staff better understanding of the data privacy sector and how to manage consumers) under the CCPA, and how consumers can exercise those rights. This would include, for example, the employees staffing, the 800 number and the ones who are responding to consumer inquiries and requests for information.
It is advisable to go through each item on this checklist to ensure your organization is compliant with the CCPA.
Update Privacy Policies
|Although companies follow the strictest standards when drafting privacy policies, they need to make sure that their policies are compliant with the CCPA.|
Create Methods of Accessibility
|Establish a means for the customer to easily request data access and data deletion. This could be at minimum a toll-free number|
|People that can verify their identification can access their information held by organizations. Verification systems will be a part of the CCPA compliance regulations|
|Prepare records, data maps and inventories of Californian’s personal data to fulfill any requests in an efficient and timely manner|
|Adding in an opt-out button will help you stay compliant without the added hassle of manually updating that customer.|
Obtain Consent from Minors
|Minors under the age of 16 will not automatically consent under CCPA. Organizations need to develop a process by which they can obtain direct consent from those aged 13-16 years, or parents consent from minors under 13 years.|
Organizations that hope to comply with the CCPA using traditional methods will face several resource and time challenges. Automation is the only way to practically manage these requests. Securiti helps organizations automate their privacy management operations using artificial intelligence and robotic automation. Request a demo and start your CCPA compliance process today.