Compliance with regulatory agencies isn’t just a good idea, it’s a requirement. The California Consumer Privacy Act (CCPA) gives Californians a list of rights regarding how their personal information is handled. Keeping on top of all CCPA requirements may seem like a complex, daunting task, but it pays off. By staying compliant, you’ll find and remediate many security flaws in your systems and have clear plans to address various incidents.
With the help of our checklist and a step-by-step approach, you can become CCPA compliant before you know it.
Understanding CCPA
Originally established in 2018, the CCCPA was amended in 2020 to expand the privacy rights afforded to Californians. These expanded rights came into effect on January 1st, 2023.
The list of rights protected under CCPA can be summarized as follows:
- The right to know – Consumers must be informed when their personal information is collected.
- The right to delete – Also known as the right to be forgotten, you must grant consumers the option to delete their personal information (with some exceptions).
- The right to opt-out – You must allow consumers to opt out of their personal information being shared or sold.
- The right to non-discrimination – You must not discriminate against consumers who opt out of sharing or selling their personal information.
And the two additional rights introduced in the latest amendment:
- The right to correct – You must allow consumers to correct any inaccurate personal information you have collected.
- The right to limit – You must comply with requests to limit the use and disclosure of personal information you have collected.
If you’re a for-profit business that meets any of the following criteria, then being CCPA-compliant is required by law:
- You have gross annual revenue of at least $25 million.
- You buy, receive, or sell the personal information of at least 100,000 California residents, households, or devices.
- Your annual revenue from selling the personal information of California residents is at least 50% of your total annual revenue.
Businesses that fail to comply with CCPA may be subject to legal action by the Attorney General or the California Privacy Protection Agency that may result in fines. Furthermore, in the case of a data breach and a failure to remediate within 30 days, you may be sued for damages by Californian residents.
Your checklist for achieving CCPA compliance–and staying compliant
The most intuitive path to CCPA compliance is going through a checklist. The following list will give you a deeper look into the items you must check. The accompanying downloadable checklist will help you break those tasks into smaller items and keep track of your progress.
1. Make a complete inventory of your data
You can’t protect data you don’t know you have. You must have a complete inventory of all your data assets to protect, modify, and delete the data if necessary. This may include cloud storage, database backups, dark data, and more. Developers sometimes make copies of data for testing purposes; this data must also be protected or deleted.
It may be necessary to employ specialized tools that track data across your organization to get a true picture of where your data is stored and how it is handled throughout the data lifecycle.
2. Write a privacy policy
You must have a privacy policy and display it in a ” conspicuous ” way on your website. You must offer the consumer a link to the privacy policy at the time of data collection. Your privacy policy must inform your consumers of their rights and how your organization handles their collected information.
You must update your privacy policy every 12 months.
3. Establish a process for handling consumer requests
You must have a streamlined process for handling consumer requests for accessing, deleting, correcting, and opting out of sales. You must comply with requests promptly. The CCPA demands that you comply with a request within 45 days and provide any information up to 12 months before the request. You may apply for an additional 45 days, provided you reasonably justify the delay and notify the consumer.
The CCPA aims to grant California residents greater control over their PII through the rights outlined in the policy. To further elevate your consumers’ control over their PII, employ a tool like Memcyco on your website; It protects your consumers and online shoppers from fraud, potential phishing attempts, spoofing, and brandjacking, by enabling them to verify your website’s authenticity using an unforgeable watermark.
4. Implement technical data collection controls
Implementing technical data collection controls comes down to enforcing your privacy policy via technical controls. Establishing technical controls in accordance with your privacy policy helps prevent human error and enables complete oversight over the collection and storage of PII.
5. Securely store and process PII
Implement policies and procedures to ensure all personal information is stored, transmitted, and processed in accordance with CCPA requirements. Data retention must be time-limited, as you’re not allowed to store data forever, so you must have a procedure to delete data once the retention period is over. You must also implement adequate security measures to protect your data in transit and storage.
6. Conduct regular third-party audits
If you’re working with partners or services, you must audit their compliance with CCPA. If your partner isn’t compliant, neither are you. Working with partners already compliant with CCPA will naturally make this step easier.
Remember that auditing your partners once is insufficient; you must regularly investigate their compliance.
7. Employee Training
Security is only as strong as your weakest link, and in the world of cyber security, the weakest link is often human engineering. Employee training is essential to your organization’s CCPA compliance and general security awareness.
Provide employees with adequate training in handling PII and complying with consumer requests.
8. Incidence Response
An essential part of CCPA compliance is an incident response plan. Data breaches will happen, and the looming question is: what will you do about it? A response plan does not prevent security breaches, but it can significantly reduce the cost of a data breach. A properly developed response plan can reduce the risk of mishandling private information, which in turn will reduce incoming complaints from customers.
9. Regular internal reviews
If you are in non-compliance, you want to be the first to know. Performing regular internal reviews ensures that you remain compliant. You can hire a qualified third party to perform an audit, or if you have specialized employees, do so internally. Regularly review your processes and policies and act to remedy any non-compliance.
10. Breach notification plan
CCPA requires that you notify your consumers and relevant authorities in case of a breach. Having a plan in place before such a breach occurs will keep the costs down and help you provide those notifications in a timely manner.
11. Record everything
Compliance is all about record keeping. You must maintain a record of all customer requests and how you respond to them. Records of internal audits and any remediation processes you have taken can prove your compliance.
12. Communication is key
Work closely with your legal counsel to ensure compliance. Keep your stakeholders informed. CCPA compliance is the managing staff’s responsibility, so you must inform all stakeholders and understand the needs and expectations of CCPA compliance. Ensure everyone takes part in maintaining long-term compliance.
Foster trust with compliance
The cyber security threat is growing daily, with many organizations moving their services to the cloud. Consumers are becoming more security-conscious and looking for organizations they can trust. CCPA compliance fosters trust with a clear privacy policy and a set of rights your consumers can understand.
Take trust to the next level with Memcyco. Protect your consumers from data breaches, phishing attempts, and spoofed websites. Trusting customers are more likely to return–Prove to yours that they can trust your brand integrity.
Find out what Memcyco can do for you.
Director of Product Marketing