Securiti Named a 2022 Cool Vendor in Data Security by Gartner

Download Now
Free Trial Schedule a Demo

Blogs

10 Tips to Prepare for CCPA Enforcement

Published on June 23, 2020 AUTHOR - JOSEPH ABRENIO

With the July 1 enforcement date fast approaching, California's Office of the Attorney General (OAG) has finalized the California Consumer Privacy Act (CCPA or the “Act”). Several sections of the finalized Act are critical to compliance with the act to include the following.

1. Be transparent with how your business collections and processes data. A fundamental principle of the Act is the requirement of “...notice, at or before the point of collection, about the categories of personal information to be collected from them and the purposes for which the personal information will be used.This includes the categories and sources of PII collection and a detailed description of any third-parties to which the business will be sharing this PII.

2. Think carefully on which data sales are worthwhile. Business units may wish to carry out a risk/reward analysis on how sensitive consumers are to the sale of data to certain sectors of third parties. Data collected from consumers may highlight that certain relationships are not financially beneficial to the business/seller.

3. Separate prices based on data disclosure are allowed but show your work. The regulations allow differential pricing based on the data subject’s decision to disclose their data, provided the business offers such incentives related to price or service differences. Furthermore, under CCPA Sec. 999.307(b)(5), the statement must demonstrate how the financial incentive or price difference is reasonably related to the value of the consumer’s data.

4. Rewards programs and incentives are allowed, but show your work. Businesses retain the right under the CCPA to offer financial incentives or price/service differentials if the difference is reasonably related to the value of the data at issue. Once again, documentation is key: “If a business is unable to calculate a good-faith estimate of the value of the consumer’s data or cannot show that the financial incentive or price or service difference is reasonably related to the value of the consumer’s data, that business shall not offer the financial incentive or price or service difference”. Details are available in the text of the legislation. Note that when a business calculates the value of its consumer data, the business must be able to document and substantiate its procedure.

5. Household or joint accounts require extra caution. Businesses not providing password protected household accounts must comply with CCPA Sec. 999.318 before fulfilling a request to access or delete household information. Specifically, these businesses must:

  1. verify that all consumers of the household jointly request access to the specific information;
  2. individually verify the identity, in accordance with Section, 999.325, of each and every household members making the household request;
  3. verify that each member making the request is currently a member of the household.

6. Check the languages in which you do business. Regulations govern the noticing requirements provided to consumers. The most recent changes to the regulations amended the notice requirements to read “be available in the languages in which the business in its ordinary course provides contracts, disclaimers, sale announcements, and other information to consumers in California.’ [emphasis added]. This revised language shows an intent to limit this requirement to languages used by the company in California. Therefore, businesses must review the languages used to engage customers as part of the course of business in California. This review process should include signage at physical locations in the state, including: front desks, elevators, and room heating/cooling system instructions.

7. If you already sell PII (according to the broad CCPA definition of sell), you must now  get expressed customer authorization to continue this practice. The Act dictates that ‘A business shall not sell the personal information it collected during the time the business did not have a notice of right to opt-out notice posted unless it obtains the affirmative authorization of the consumer’. Therefore, If a company continues to sell this data to third parties without receiving an affirmative authorization, it will be in violation of the act. However, businesses can re-establish the right to sell by notifying the subject of their new privacy policy and acquiring affirmative authorization in the process.

8. Deidentification is sufficient. The regulations recognize that due to how records systems were constructed, active deletion of personal information may be difficult or impossible. Therefore the deidentification or aggregation of the consumer’s personal information is sufficient to comply with a consumer request to delete under the CCPA.

9. Act quickly on requests to opt out. These requests are both an exception to this rule and the most common request seen under the law. CCPA Sec. 999.315(f) mandates that businesses must comply with such requests in no more than fifteen (15) business days from the date of the request. The narrow window makes streamlined reporting of CCPA requests across business units essential for response-time compliance.

10. You do not have to search everywhere for data. Businesses are not required to search for personal information  if ALL of the following conditions are met:

  • the business does not maintain certain personal information in searchable/accessible format;
  • the business maintains the information solely for compliance purposes;
  • the business neither sells or uses the information for a commercial purpose;
  • and the business describes to the consumer the categories of personal information that went unsearched because they met the above criteria.

Therefore, security data such as security-camera footage would not be covered under these regulations. A hotel receiving an information access request from a guest would not have to search its CCTV  footage for video of the guest, as long as the hotel notified the guest that such security footage went unsearched because it met all other categories of this regulation.

In sum, businesses should focus on transparency with their customers and follow a risk-based approach on how they collect, processes, and disseminate personal information. Bottom line is, customer personal information belongs to the individual, not the business.

Share this

Join Our Newsletter

Get all the latest information, law updates and more delivered to your inbox

Related Content

View More

June 28, 2022

DSARs: What You Need to Know

A data subject access request (DSAR) is a formal request by a user (data subject) to an organization collecting their data asking for details related to how their data is being collected, used, stored, and possibly shared. Furthermore,...

View More

June 24, 2022

Article 6 of the GDPR: Explained

Under the GDPR, personal data that directly or indirectly identifies an individual must not be collected, stored, or processed unless there is an appropriate legal basis to do so. Article 6 of the GDPR defines the six lawful...

View More

June 21, 2022

The Ultimate Guide to Privacy Impact Assessments for CPRA

When the California Privacy Rights Act (CPRA) comes into effect, replacing the existing California Consumer Privacy Act (CCPA), organizations will have to change their current business practices around personal information handling. One significant change will be Regular Risk...

Products

Solutions

Systems

Newsletter

Users love Securiti on G2 G2 leader spring 2022 G2 leader summer 2022 G2 leader easiest business 2022 ISO certification RSAC Leader Forrester Badge IAPP Innovation award 2020 Sinet Innovator Award Gartner Cool Vendor Award

Company

Resources

Terms

Get in touch

[email protected]
PO Box 13039,
Coyote CA 95013

Copyright © 2022 Securiti

Sitemap - XML Sitemap

Securiti PrivacyOps Named a Leader in The Forrester WaveTM

View