The No-nonsense CCPA Compliance Checklist
One of the strictest privacy laws in the United States, the California Consumer Privacy Act (CCPA), defines the responsibilities of businesses to protect California residents’ privacy rights. Compliance with CCPA ensures your business can fulfill these responsibilities in a way that makes sense for your California operations.
This 16-step CCPA compliance checklist will help you get started on your compliance journey. For more background on CCPA, check out this guide.
16 Steps to Prepare for CCPA Compliance
As you prepare to comply with CCPA, this checklist will provide a framework for measuring the scope of your company’s exposure as well as understanding the processes and controls you must implement.
1. Determine Whether Your Organization is Subject to CCPA.
CCPA excludes government agencies, non-profit organizations, and businesses that fall under other privacy regulations, such as the Healthcare Information Privacy and Portability Act (HIPAA).
Any other companies that do business in California and meet one of the following requirements must comply with CCPA:
Gross annual revenue greater than $25 million.
Buy, sell, receive, or share PI for commercial purposes from 50,000 or more from California residents, households, and devices.
Sales of PI account for more than 50% of company revenue.
Companies that do not meet any of these requirements are not subject to CCPA. Still, CCPA compliance may be useful to prepare for future growth or to reinforce your company’s social responsibility programs.
2. Audit Your Third-Party Exposure to CCPA Compliance
Most companies share consumer PI with billing services, credit card processors, and other third parties. CCPA requires these third parties to comply with your company’s PI protection policies.
Determine your third-party vendors’ compliance with CCPA, their security practices, and the controls they use to comply with your privacy policies.
3. Understand Your Exposure to Personal Information Regulation
Audit your data collection processes to understand:
What PI you collect.
How you store all PI.
Who in your company has access to this PI.
Which third parties you share this PI with.
Companies often collect more personal information than they realize, which increases their risk posture and could lead to severe financial penalties. You should identify opportunities to reduce the data you collect or limit the time you retain personal information.
4. Refine Your Data Governance
In light of the personal information you collect, review your data governance policies. An essential part of this assessment is a cost/benefit analysis of any data-selling practices.
5. Audit and Update Your Security and Data Protection Controls
Mitigate any weaknesses in your security and data protection processes. The CCPA does not prescribe specific methods, leaving it to each business to choose reasonable security measures for storing and transmitting PI.
However, certain practices can mitigate the impact of security breaches. Consumers can’t sue companies under CCPA if, for example, their stolen personal information is encrypted.
6. Prepare an Incident Response Plan
Whether an independent process or part of an overall risk management plan, develop incident response procedures to handle CCPA violations such as stolen PI or a breakdown in privacy practices. Assign responsibilities to specific stakeholders and perform regular simulations to prepare your responses to potential incidents.
7. Implement Identity Verification Systems
CCPA compliance requires responding to consumer requests. To do this, you must have processes to verify consumers’ identity. Granting someone access to another person’s personal information is a CCPA violation.
9. Develop a Notice at Collection
Companies must also provide consumers a notice at collection on or before requesting personal information. Among other things, this notice must list the categories of information you collect and why you collect them. If you sell this information, then the notice at collection must include a Do Not Sell link.
10. Implement Systems to Support Consumers’ Right to Know
CCPA defines consumers’ rights to know what personal information businesses collect about them. At any time, a consumer can ask you for a report detailing:
PI categories you collect from consumers.
Personal information specific to them you have on file.
Where you collect that personal information from.
How you use the PI you collect.
What kinds of third parties you share their PI with.
What PI categories you sell or disclose to third parties.
When a consumer submits a request, you have up to 45 days to respond with all information in the 12 months preceding their request. You can extend that window by another 45 days, provided you notify the consumer in advance.and have a reasonable explanation for why the extension is required.
You will need systems that let consumers place their requests, verify their identities, collect all relevant information, and distribute the information within the 45- to 90-day window.
11. Implement Systems to Support Consumers’ Right to Delete
California consumers have a limited right to request companies delete their personal information. Upon receiving a valid request, you have 45 days (or 90 days with a notification) to delete the information from your records and any third parties you share that information with.
Develop systems and processes to take and review these requests as well as methods to verify all relevant information has been deleted.
12. Implement Systems to Support Consumers’ Right to Opt-out
Californians aged 18 years or older may ask companies to stop selling their personal information. In the case of minors, the sale of personal information requires affirmative authorization. Minors between the ages of 13 and 16 may opt-in to the sale of their information. Companies need parental consent to sell the personal information of minors younger than 13.
Clear and conspicuous Do Not Sell My Personal Information links should send Californians to a page on your website that makes the opt-out process easy. Consumers may also submit their opt-out request in writing.
13. Implement Systems to Support Consumers’ Right to Non-discrimination
Companies may not treat consumers differently just because they exercise their rights under CCPA.
There are cases, however, where the non-discrimination right does not apply. For example, you can require consumers to provide the personal information needed to complete a transaction. A consumer unwilling to provide their information cannot expect preferential treatment.
14: Train All Personnel
Any people involved with collecting, storing, processing, selling, or sharing consumer information must follow your company’s privacy policies and procedures for protecting consumer PI. Conduct regular training sessions to ensure people understand their roles and responsibilities.
15. Use Automation to Monitor Compliance Continuously
Manually tracking CCPA compliance is impractical for companies above a certain size. Although CCPA doesn’t require an audit, you must constantly monitor data security and CCPA controls to avoid fines if you’re ever under investigation. The only way to ensure daily CCPA compliance is through automation. Crossing siloed tech stacks, automated CCPA compliance tools such as Drata give you a single view of your compliance posture.
16. Incorporate Feedback to Improve CCPA Compliance Processes
Your CCPA compliance process must evolve with the regulatory and threat landscapes. Stay ahead of these changes by developing feedback mechanisms to incorporate learnings from compliance events and conduct regular reviews of your CCPA compliance program.
Additional Steps for CPRA
Any CCPA compliance program must be ready for revisions taking effect on January 1, 2023. Approved in a 2020 referendum, the California Privacy Rights Act (CPRA) tightens many of the CCPA’s original privacy protections.
The CPRA’s changes:
Extend the right to opt-out of any data sharing that does not involve a financial exchange.
Replace the right to know’s 12-month rolling window to all data collected on or after January 1, 2022.
Require certain businesses to conduct risk assessments and may require independent cybersecurity audits.
Require third-party contracts to clearly define the what, why, and how of any data sharing. These contracts must prohibit the vendor from using personal information outside the contractual relationship.
Potential Risks of Not Being Compliant
For companies that collect information from minors less than 16 years old, a critical change introduced in the CPRA is a tripling of the maximum fines for privacy violations. Companies could pay up to $7,500 per violation and may be subject to civil penalties.
All other companies are still subject to the CCPA’s original penalties. In the event of a data breach, consumers may sue for up to $750 in damages per violation.
Companies may also violate CCPA if they do not respond to consumer requests and do not respond within 30 days to notifications from the California Office of the Attorney General. If accidental, companies face penalties up to $2,500 per violation. Intentional violations, however, could cost up to $7,500 per violation.
Given these costs, companies do not need a large presence in California to see their risk exposure climb. Developing an effective CCPA compliance program is essential. Schedule a demo to see how Drata’s compliance automation solution streamlines CCPA compliance.