CCPA Compliance | NAVEX Global

Challenge of addressing the California Consumer Privacy Act

The California Consumer Privacy Act (CCPA) aims to give California residents more control over how companies collect and use their personally identifiable information (PII). The CCPA does this by granting California residents certain rights to see and control the PII that companies collect about them. Companies subject to the CCPA must comply with the data privacy law by creating mechanisms that allow California residents to exercise those rights. For example, the CCPA allows a California resident to know what personal information a company is collecting about him or her, and obtain a copy of that information. It allows residents to know when their information is sold or disclosed, and to whom; and gives residents the right to opt out of such sales. A company must also provide equal services and prices to all residents even when they exercise their opt-out rights.

As a practical matter, most companies can’t easily restrict CCPA requirements to California residents only. This means companies will need to extend the CCPA requirements to all the PII they handle, and any necessary policies or procedures (such as granting methods for residents to view PII) will likely need to apply enterprise-wide. Enforcement and litigation risks for non-compliance could be severe. The CCPA allows the state to seek civil monetary penalties for each infraction, and it also allows consumers to file their own civil litigation seeking damages arising from data privacy breaches.

See How Data Privacy Training Can Help

What you need to comply with the California Consumer Privacy Act

Clear Policies

Development and disclosure of privacy policies to align with CCPA compliance

Intake Systems

Mechanisms that all consumers to submit requests to see their PII or to opt-out of data selling

Data Map

The company should identify PII it collects about California residents, how that data is processed, and where the data resides

Training

Employees must be trained on the company’s responsibilities under the data privacy law how to handle consumer inquiries

Third-Party Risk Assessment

Processes to research and vet third parties that handle consumers’ PII on the company’s behalf

Breach Response Plan

Protocol to disclose a breach once discovered, or to investigate allegations of a breach brought to the company’s attention.

Steps You Can Take to Ensure Your CCPA Compliance Moves Forward

Step 1: Make sure your policies and procedure management program stays in alignment with California’s data privacy law as it evolves. Lawmakers have debated amendments to the CCPA throughout 2019 and will continue to do so.

Step 2: Offer multiple methods for consumers to submit data review requests, including a toll-free telephone number and a web-based method.

Step 3: Train employees on how the CCPA applies to their duties — from employees who might handle data review requests from consumers, to marketing staff developing data collection plans, to IT staff developing opt-out mechanisms or cookies, and more.

Step 4: Perform a risk assessment on third parties that handle PII on your company’s behalf. Confirm that your policies and procedures for working with those third parties address CCPA compliance issues.