Overwhelmed? Here’s a Quick CCPA Compliance Checklist
May 8, 2020
Enforcement of the California Consumer Privacy Act (CCPA) goes into effect July 1. Your company can be fined $2,500 per compliance violation, and up to $7,500 if the violation is considered intentional. Fines can add up quickly depending on the size of your customer base.
Your organization must be able to comply with California’s new data rules, which (among other rights) give consumers:
- The right to know what personal information is collected, used, shared or sold
- The right to delete personal information held by businesses
- The right to opt out of sale of personal information.
- The right to non-discrimination in exercising these rights.
(For background, be sure to check out our article, “What Is The CCPA?”)
Feeling overwhelmed? Basically, CCPA compliance covers three general sections. Here’s a short checklist to get you started:
- Find and categorize the personally identifiable information (PII) of California consumers you have
- Determine how PII is stored and how it flows across your company
- Document the purpose of PII collection and how it is used across your company
- Determine who has access to PII
- Determine the quality and accuracy of PII
- Identify third parties that process, access or store PII
- Document where you’ve sold PII in the last 12 months
- Publish your Consumer Rights Management website portal (user interface) – including options for PII access, deletion and do not sell
- Establish security to verify consumer identities
- Enact a toll-free number for California residents to submit requests
- Update external privacy policies and notices to comply with CCPA disclosure requirements
- Ensure confirmation response and delivery process for requests
- Create processes and procedures for receiving and fulfilling consumer requests
- Implement any technical or automated approach to handling request execution
- Establish a confirmation response and delivery process for requests
- Train employees personally responsible for handling CCPA requests
- Provide CCPA training to your employee base
- Update internal privacy policies and procedures to comply with CCPA
How Prolifics Can Help With CCPA Compliance
We have the products and solutions to help your company work towards compliance with any data privacy laws. And while we offer a step-by-step approach for an end-to-end solution, we can help you at any point in your compliance journey.
- Data identification: Prolifics’ unique Data Hawk solution quickly scans all your data, not just file names or column headers, to find PII and identify where data privacy is at risk.
- Customer access: We’ve partnered with privacy software company OneTrust to generate the front-end experience. Alternatively, we can work with you to create a low-code, customized user interface (UI).
- Request execution: We work with providers like IBM and Talend to customize software that can execute big data integration and management.
|Find and categorize the personally identifiable information (PII) of California consumers you have.||CCPA establishes these categories: identifiers; customer records information; characteristics of protected classifications; commercial information; biometric information; browsing and search history; geolocation data|
audio, electronic, visual, thermal, olfactory, or similar information; professional or employment-related information; education information; inferences
|– Determine how PII is stored and how it flows across your company|
– Document the purpose of PII collection and how it is used across your company
– Determine who has access to PII
Identify third parties that process, access or store PII
|Consumer has the right to request that a business that collects personal information about the consumer disclose to the consumer the following:|
(1) The categories of personal information it has collected about that consumer.
(2) The categories of sources from which the personal information is collected.
(3) The business or commercial purpose for collecting or selling personal information.
(4) The categories of third parties with whom the business shares personal information.
(5) The specific pieces of personal information it has collected about that consumer
|Determine the quality and accuracy of PII||If you don’t know the quality and accuracy of your data, you won’t know if you’re truly working towards compliance|
|Document where you’ve sold PII in the last 12 months||You must identify by category or categories the personal information of the consumer that the business sold in the last 12 months by reference to the category, and provide the categories of third parties to whom the consumer’s personal information was sold.|
|Publish your Consumer Rights Management website portal (user interface) – including options for PII access, deletion and do not sell||If you have a website, you must make it available to consumers to submit requests for information required to be disclosed.|
|Establish security to verify consumer identities||CCPA is based around a “verifiable consumer request” – made by a consumer, by a consumer on behalf of the consumer’s minor child, or by a natural person or a person registered with the Secretary of State, authorized by the consumer to act on the consumer’s behalf. A business is not obligated to provide information to the consumer pursuant if the business cannot verify that the consumer making the request is the consumer about whom the business has collected information (or is a person authorized by the consumer to act on such consumer’s behalf.)|
|Enact a toll-free number for California residents to submit requests||You must “…make available to consumers two or more designated methods for submitting requests for information required to be disclosed… including, at a minimum, a toll-free telephone number.”|
|Update external privacy policies and notices to comply with CCPA disclosure requirements||You must “1) Provide a clear and conspicuous link on the business’s Internet homepage, titled “Do Not Sell My Personal Information,” to an Internet Web page that enables a consumer, or a person authorized by the consumer, to opt-out of the sale of the consumer’s personal information. A business shall not require a consumer to create an account in order to direct the business not to sell the consumer’s personal information.|
(2) Include a description of a consumer’s rights … along with a separate link to the “Do Not Sell My Personal Information” Internet Web page in:
(B) Any California-specific description of consumers’ privacy rights.”
|Ensure confirmation response and delivery process for requests||You must “…disclose and deliver the required information to a consumer free of charge within 45 days of receiving a verifiable consumer request from the consumer.”|
|– Create processes and procedures for receiving and fulfilling consumer requests|
– Implement any technical or automated approach to handling request execution
– Establish a confirmation response and delivery process for requests
|“A business that receives a verifiable consumer request from a consumer to access personal information shall promptly take steps to disclose and deliver, free of charge to the consumer, the personal information required by this section. The information may be delivered by mail or electronically, and if provided electronically, the information shall be in a portable and, to the extent technically feasible, readily useable format that allows the consumer to transmit this information to another entity without hindrance. A business may provide personal information to a consumer at any time, but shall not be required to provide personal information to a consumer more than twice in a 12-month period”|
|– Train employees personally responsible for handling CCPA requests|
– Provide CCPA training to your employee base
– Update internal privacy policies and procedures to comply with CCPA
|You must “Ensure that all individuals responsible for handling consumer inquiries about the business’s privacy practices or the business’s compliance with this title are informed of all requirements…and how to direct consumers to exercise their rights under (the law).”|