How to prepare for the CCPA

The California Consumer Privacy Act (CCPA) is a law passed in 2017 that aims to provide Californians with greater control over their private information. The law includes the right to access what information a company has collected and the right to request that the company delete that data. The CCPA goes into effect on January 1st, 2020 and will start to be enforced on July 1st, 2020. The preparations for this new law are reminiscent of the of the haste and confusion in Europe over preparing for the General Data Protection Regulation. To make this preparation easier, here are two perspectives on what you need to do – the Privacy Policy perspective and the information technology perspective. 

The following types of companies need to comply with the CCPA: 

• Companies that exceed $25,000,000 in annual gross revenue; 
• Companies that obtain the personal information of 50,000 or more California residents, households or devices per year; or 
• Companies that obtain 50% or more of their annual revenue from selling the personal information of California residents. 

The penalties for non-compliance with the CCPA are steep: $2,500 per violation and $7,500 per intentional violation of the law. The CCPA also allows consumers to sue businesses and collect from $100 to $750 in damages if their personal information has been breached due to the business failing to implement and maintain reasonable security procedures and practices that are appropriate to the nature of the information. 

A Privacy Policy perspective

California has long required companies that collect the personal information of California residents online to have a Privacy Policy (see California Online Privacy Protection Act of 2003). The CCPA strengthens this requirement by imposing additional penalties and by adding that the Privacy Policy must disclose the following: 

•  A description of the consumer’s rights and one or more designated methods for submitting requests to enforce those rights; 
• A list of the categories of personal information that the business has collected about Californian consumers in the last 12 months; 
• A list of personal information that the business has sold in the last 12 months by category. If the business has not sold any information in the last 12 months then this has to be stated as well; and 
• A list of personal information that the business has disclosed to third parties in the last 12 months by categories. If the business has not disclosed any information in the last 12 months, then this has to be stated as well. 

It is important that you update your Privacy Policy to fit the disclosure requirements of the CCPA. Also note that the California Attorney General has a few months from the effective date of the law to promulgate additional rules, which may also affect how your Privacy Policy is written to comply with the CCPA. 

An IT perspective

As mentioned earlier, the CCPA affords Californians some new rights regarding their personal information. One of these rights is the right to access, meaning that a Californian resident can ask a business to disclose the categories and specific pieces of information that the business has collected about them. The business must deliver this information by mail or electronically, free of charge. If the information is provided electronically, it must be in a portable and, to the extent technically feasible, in a readily usable format that allows the consumer to transmit this information to another entity without hindrance. When you think about where you and your staff store information, this seemingly simple task can all of a sudden become very overwhelming. Consider this: you may have personal information of customers on the backend of your website, in spreadsheets, in your accounting system, and in emails. In order to adhere to these requests quickly without exposing your company’s security posture, it is crucial that you review your company’s information management system in place. Many companies use this opportunity to review other policies because they have overlapping responsibilities such as Security Policy, Incident Response Plan, BC/DR Plan, Employee Handbook, and Employee IT Acceptable Use Policy. The CCPA also affords Californians the right to request that a business delete any personal information that it has collected from the consumer. Again, this can also be an overwhelming task if you do not have the proper infrastructure set up.

When one begins to discuss consumer information specifically, its easiest to break it down into sections and tackle the process section by section.

1. Analysis and Requirements
   1. What data are we collecting?
   2. Why are we collecting it?
   3. Who needs access to it?
   4. How long do we need to keep it?
   5. What security standards or compliance requirements do we need to adhere to?
   6. What security standards or compliance requirements do our customers or vendors need us to adhere to?
2. Design
   1. How are we collecting data?
   2. Where are we storing data?
   3. What technology controls are required to ensure the integrity and backup of data?
   4. What processed do we need to change and document?
   5. What process, security, and privacy training is needed for employees so that they can properly handle requests for information?
3. Implementation of technology or process and gathering consumer data
   1. Install/modify the system for collecting data
      1. Information Management System
      2. Security Systems
      3. Backup
      4. Proper logging, monitoring, and reporting
   2. Change and document processes
      1. Include new policy for informing customers regarding what data is being collected
      2. Include policy for handling a request for the information that was collected
      3. Include policy for requesting the deletion of data
   3. Training of employees
4. Testing
   1. Procedure walkthrough
   2. End-user and employee testing
   3. Security testing and validation
   4. Backup testing
5. Removal of data
   1. How is IT handling data retention length?
   2. Is data being properly disposed of?
   3. Does your recycler certify that documents were disposed so properly?
6. Scheduled review
   1. What needs to be fixed?
   2. What new requirements does the business have?
   3. What new security challenges are occurring?
   4. Implement changes
   5. Test changes
   6. Ongoing training

Start preparing now

While January 1st, 2020 can seem a far way away, it is less than half a year. In order to be fully prepared for enforcement and for consumer requests, it is crucial that you start preparing for the CCPA now by having a compliant Privacy Policy and the proper information technology infrastructure to be able to handle the new obligations imposed by this law. 

About the authors: 

This blog post was written by Donata Stroink-Skillrud with compilation contributions from Danny Poull to help businesses prepare for the CCPA. 

Donata Stroink-Skillrud President of Termageddon, a Privacy Policy generator that updates its policies whenever the laws change. Donata is a licensed attorney and Certified Information Privacy Professional. Donata is also a Fellow of the American Bar Foundation, a member of the American Bar Association’s Science and Technology Council, and a member of the ABA’s Cybersecurity Legal Task Force, Vice-Chair of Program Committee, and Vice-Chair of Privacy, Security and Emerging Technology Division.

Danny Poull, Data Solutions Architect for Wood Dale, IL-based CCC Technologies inc., and content contributor to this post is a veteran IT consultant with 13+ years of experience and over 10 certifications and a passion for assisting CCC customers to build IT management solutions. Danny stays up to date with security and business trends that impact businesses on a large scale by attending conferences, participating with CompaTIA, and attending training as well as talking to businesses directly about the challenges they face. He then helps those businesses design an IT solution to meet those needs.