CCPA Best Practices

Notice: This is for discussion purposes only. Winmo is not qualified to provide legal advice of any kind and is not an authority on the interpretation of the CCPA or any other rule or regulation. To understand how the CCPA or any other law impacts you or your business, you should seek independent advice of qualified legal counsel. 

Our personal data is constantly being gathered and often stored electronically, and recent data regulations are highlighting the importance of it being handled and used responsibly. Several notable laws and regulations have been put in place by governments and by industry in order to more effectively protect personal data, and it’s clear data compliance is here to stay. 

Beginning internationally, Canada introduced  CASL in 2014 , which was followed a few years later by the EU’s GDPR in 2018. These regulations have left businesses frantically preparing their internal processes to avoid penalties and fines. Now, legislation is being implemented here in the US on a state-level, beginning with California and interest from several other states who are likely to follow suit. 

With the California Consumer Privacy Act (CCPA) upon us, beginning January 1, 2020 many companies are wondering how best to prepare. While Winmo has taken measures to become CCPA compliant, we recommend doing so as well if you haven’t already started. 

So, what does the CCPA mean for your business?

As the first state-level privacy law in the United States, the CCPA was created for the purpose of protecting the privacy and personal data of consumers who live within the state of California and as mentioned above, will go into effect January 1, 2020. According to the official CCPA website, the act provides California residents with key core right changes including: 

1. Gives residents more ownership

The CCPA guidelines apply to a much larger amount of data, requiring more transparency when it comes to data. How is this transparency achieved? 

Residents can require more notice and specifics when it comes to uses of their information throughout each category of data being collected. Two free requests for information on what and where personal information is being used are granted to each resident. They can also prohibit companies from disclosing their personal information. 2. 

2. Gives residents more control 

The CCPA also gives residents the ability to request the deletion of personal information as well as the right to know about disclosure and sales of personal data. 

The act also prevents discrimination for exercising these rights. All customers should receive the same quality of service, with no heightened expense for putting CCPA policies into practice. 

3. Gives residents more security

Violations are also put in place for any business that does not implement a reasonable level of security against data breaches. Organizations are subject to expensive fines and penalties should they neglect to take security measures to protect resident’s personal information. 

GDPR vs CCPA 

While the GDPR and CCPA share a fair amount of similarities in how they protect data, there are several key differences between the regulations. 

There is a different scope, exceptions, and definition of rights for each act. For starters, the GDPR applies to data controllers and data processors. The CCPA only applies to for-profit businesses that meet one of the following requirements: 

• Has an annual gross revenue of $25 million or more. 
• Possesses the personal information of 50,000 or more consumers, households, or devices. 
• Earns more than half of its annual revenue by selling personal information. 

Generally, the CCPA applies to any for-profit business that does business in California, collects personal information of California residents or has residents’ information collected on behalf of the business, and determines the purposes and means of processing that personal information. 

Overall, the CCPA gets to the data layer much more quickly than GDPR. You really have to know your data and be able to track that the data was acquired by a regulated business. Commercial agreements amended for GDPR will need to be further amended considering the two differ in privacy notices and rights. 

The GDPR provides consumers the right to correct inaccurate personal data and restrict or object to data processing. While the CCPA doesn’t specifically include these rights, it does require a “Do Not Sell My Personal Information” option on business websites, requirements for disclosing personal information sales or collection to the consumer, and nondiscriminatory treatment of consumers who exercise their rights according to CCPA guidelines. 

CCPA Checklist 

So where should you start? We recommend using this simplified checklist to get the ball moving. These nine steps will help you align your organization with CCPA requirements, as well as help prepare for the regulation and everything it entails for customer data privacy. 

1. Determine if CCPA applies to your business
2. Understand your current data collection process, specifically by state (in this case California)
3. Review privacy policies and procedures 
4. Create a plan for data requests
5. Evaluate how personal information is sent
6. Assess how personal information is shared
7. Review contracts and disclosures 
8. Reevaluate third-parties 
9. Prepare internal training 

Compliance Best Practices 

In order to best prepare your organization to meet CCPA guidelines, take the following steps to ensure customers are able to exercise their rights under the new act: 

• Provide two or more methods for consumers to submit requests concerning their personal information. These opt-out options must include a toll-free telephone number, and at least one additional method such as a designated email or form. 
• Establish protocols to respond to consumer requests within 45 days of receiving them. 
• Update your privacy policies to align with CCPA rights. 
• Analyze data collection and documentation. It’s crucial to have a system in place to provide consumers with this information. 
• Provide consumers with a notice that their personal information is being sold. If they would like to opt-out, have an organized process in place to handle these inquiries in a timely manner. 
• Assess and document your data security practices to ensure your data is taking the right steps to protect itself against security breaches. 

It’s imperative that your legal team reviews the entire CCPA initiative and takes the correct steps to implement a plan to remain CCPA compliant. We also recommend educating your entire company on the key changes going into effect in January. 

The Future of CCPA 

While California is the first state to put guidelines in place, other states will follow their lead soon. With similar legislatures likely to pop up over the next few years, it’s crucial to be prepared to react to these new initiatives. 

Keep in mind that compliance is ongoing, what you’re doing today may not be what you’re doing in 12 months. Organizations should be able to respond as additional requirements come into place with CCPA expansion and other states joining the movement. We recommend having a program in place to think through current legal requirements you have now, and what may be required in the future. 

With the end of the year approaching, the CCPA will be here before you know it. Businesses that have not already begun compliance would do well to begin preparations immediately.