The California Consumer Privacy Act 2018
The California Consumer Privacy Act of 2018 (CCPA) gives consumers more control over the personal information that businesses collect about them and the CCPA regulations provide guidance on how to implement the legislation.
The CCPA is now the benchmark for data protection in the United States, with other states looking to implement a similar level of legislation.
Data Privacy Services are able to support your requirements to comply with the CCPA and other US state based data protection legislation.
How do we comply with the CCPA?
Our certified CCPA consultants meet with your team to audit your current level of compliance
Our initial approach is to undertake a high level audit on your organisations existing baseline compliance status. This audit is aligned to the specific requirements of the legislation. We then review the audit findings and this then forms the basis for the privacy by design plan that we implement as part of our compliance project related activities.
CCPA compliance management is designed to resolve all existing gaps in your organisations compliance with US based data protection legislation.
What have you done to date to comply with the CCPA? What is your approach to privacy management?
We will need to understand your overall approach to data privacy management and adherence to the key rights of individuals under the CCPA.
It is important to understand the general culture and how you process personal data. We also need to understand your general approach to the transparency of the processing and how this is communicated.
We will review your current compliance status and adherence to all of the main requirements of the CCPA.
We need to have a detailed understanding of how you process personal information that is covered under the CCPA.
It’s vital to discover the full details of your current processing of personal information that is in-scope of the CCPA.
We need to identify and evaluate the level of risk exposure and how we can enable you to mitigate those risks whilst demonstrating an effective but pragmatic level of CCPA compliance. We will specifically need to identify what is classified and personal information and what is classified as sensitive
Our expertise in digital data management systems complements our legal skills to provide you with an all-round risk assessment of the processing of personal data. This combination of skills and experience is a significant differentiation in value that Data Privacy Services provides in this sector.
We document your processing within a Data Processing Inventory, this is a legal requirement and forms the ‘building block’ of data protection compliance.
How do businesses comply with the CCPA?
All businesses that are in-scope of the legislation (see below) are required to comply with the articles that are stated within the CCPA Regulation. These articles are listed below:
- Article 1. General Provisions
- Article 2. Required Disclosures to Consumers
- Article 3. Business Practices for Handling Consumer Requests
- Article 4. Service Providers, Contractors, and Third Parties
- Article 5. Verification of Requests
- Article 6. Special Rules Regarding Consumers Under 16 Years of Age
- Article 7. Non-Discrimination
- Article 8. Training and Record-Keeping
- Article 9. Investigations and Enforcement
What businesses are in-scope of the CCPA?
The CCPA applies to for-profit businesses that do business in California and meet any of the following:
- Have a gross annual revenue of over $25 million;
- Buy, sell, or share the personal information of 100,000 or more California residents, households, or devices; or
- Derive 50% or more of their annual revenue from selling California residents’ personal information.
Compliance services you can trust
How long will it take for my organisation to be compliant?
This very much depends upon your chosen approach. If you engage Data Privacy Services to undertake a CCPA compliance project this will typically take up to about six weeks in duration.
To start with we assess the compliance status and then review your processing of personal data by producing the Data Processing Inventory (e.g. a ROPA). This is an important legal requirement but it also forms the building block of compliance as it is used to assess the risks of the processing.
We then take a risk based approach to bridging the gaps in compliance which usually involves developing the missing documentation, implementing processes and procedures and ensuring that there is suitable training in place.
All of this does take time, but usually we get this all done within a six week period.
We take on the compliance overhead
How much of an overhead is this on the organisations employees?
Our team of professional accredited CCPA consultants can assist your organisation to achieve full compliance in a matter of weeks.
We do have to work with an appointed person within your organisation so that we have a single point of contact that can assist us with information, existing documentation and also be on hand to answer any queries that we may have.
Overall, our CCPA compliance projects are not a significant overhead on the organisations management team and staff members. We like to believe that we are fairly ‘self-sufficient’ in the way that we manage the delivery of data protection compliance.
There is a need for catch up meetings, interaction with some subject matter experts (especially during the development of the Data Processing Inventory) and IT for review of the digital systems.