Earthquakes aren’t the only things shaking up California: the California Consumer Privacy Act (CCPA) will take effect in about two months on Jan 1, 2020, and everyone from sales consultants to compliance experts has been weighing in (even my parents discussed the pros / cons of the CCPA at the dinner table).
Many pixels have been created and much ink has been spilled around this topic. Redundant articles (e.g. “Everything You Need to Know About CCPA”) and fear-mongering clickbait (e.g. “This 1 CCPA Trap Will Land You in Gitmo”) abound, so we’ll spare you the hyperbole with these five must-dos that will help you become CCPA compliant:
1) Know where the proverbial dead bodies are buried: Map where you’re getting data from and where it’s going
Map out all of the data that comes and goes through all of the internal (e.g. homegrown timesheet software) and external tools (e.g. marketing automation software, CMS) your company uses. Then, assess whether you’re collecting personal data (defined under the CCPA as data that’s linked to individual persons, households, and devices) and then tie them back to the parts of your business that are using that data (e.g. customer email lists) and whether you’re selling that data. All of this will inform what sections of the CCPA you have to be compliant with.
Note that as part of your data mapping work, you’ll need to put reporting systems and processes in place to determine how much personal data you have on Californians and the amount of revenue generated from that data. And if you’re wondering about revenue amounts under CCPA, businesses in California that 1) generate over $25 million in annual gross revenue, 2) get at least half their annual revenue from selling customers’ personal information (here’s looking at you Facebook, Google, and the DMV, to name some of the usual suspects), or buy, sell, or share personally identifiable information (PII) data of at least 50,000 people, households, or devices.
2) CYA: Trust, but verify, your vendors and partners actually support your CCPA compliance efforts
At risk of stating the obvious, auditing your vendors and partners on their CCPA compliance efforts (and more broadly, their infosec and privacy posture) will go a long way towards avoiding PR nightmares and fines. You can use SaaS tools like the Tugboat platform to assess and track your vendors’ security and compliance stance, or if you prefer the ol’ fashioned low-tech way of tracking things in spreadsheets and Word docs, then you could email customers the following questions and track their responses in a spreadsheet:
You can also use these questions to assess your business and document (if you haven’t already) everything you have been doing from a CCPA compliance standpoint, and the things you are working on between now and Jan 1, 2020.
3) Encrypt, encrypt, and encrypt your data
4) Store and track all records of consent
Remember Must-Do #1 (see above)? Well, under CCPA, Must-Do #1 is necessary because every child whose personal data you’ve collected must give you explicit permission to sell their data (why companies would collect children’s PII data is eyebrow-raising, not to mention vomit-inducing). Also, you must get a record of consent from the parents / guardians of children under the age of 13.
And when it comes to adults’ data, you need to keep a record of all opt-out requests and you cannot invite people to opt back in for 12 months after they’ve opted out (here’s looking at you recruiting agencies). Definitely document each person’s opt-out and the date they requested the opt-out / opted out of your business’s services and or products. Note this is similar to the GDPR’s requirements.
5) Update your website to include the following
This are all easy no-brainers to implement on your end:
6) Bonus: Get the CCPA checklist that tells you what you need to know and implement without legalese, fear mongering or hype
The checklist has CCPA guidelines and considerations for your business, and recommendations for policies and processes to implement. Here’s where you can download the checklist.