Blog

How to Prepare for CCPA Compliance: A Practical Guide for Data Controllers

On January 1, 2020, a new data privacy law comes into force that will affect organizations that collect and use personal data about citizens of California. The California Consumer Privacy Act (CCPA) is designed to give residents of the state more control over their personal data and requires companies to become more transparent about the data they collect and store about consumers.

The new legal framework comes hot on the heels of the European Union’s General Data Protection Regulation (GDPR), which came into effect in May 2018. This post walks you through the key features of CCPA, explains how it differs from GDPR and outlines the practical steps data controllers and compliance teams can take now to prepare for the forthcoming legislation.

So let's get down to business.

What Is CCPA?

The California Consumer Privacy Act (CCPA) is a data protection law that the State of California enacted in response to growing public concern over the abuse of personal data. CCPA gives California residents more visibility and control over the information that websites and applications collect about them. Fines of as much as $7,500 will be levied per violation.

CCPA applies to personal data:

  • Provided directly by users in online forms
  • Collected by tracking tools and related technologies

When you consider how many consumers could be affected, that could potentially mean huge fines for companies large and small.

The CCPA complements existing state privacy regulations, such as the California Online Privacy Protection Act (CalOPPA), but it also introduces new requirements in the following key areas:

Right to Know: When Companies Collect Personal Data and are Selling Information

California citizens will have the right to know if their personal data is being sold by companies and have the right to opt out of the sale of that information. To facilitate this, you must make the opt-out process as straightforward as possible—this can be done by providing a Do Not Sell My Personal Information link in a prominent place on your website wherever you collect personal data.

This link should take the user to a web page, where they'll be able to instruct you not to sell their data. Moreover, if they make such a request, you shouldn't discriminate against them by changing the quality or price of your service or, worse, denying them access to your service altogether. Such actions will not only have a negative impact on your business reputation, they’ll also violate provisions of CCPA that will fine you for this practice.

Prior Consent

With CCPA in effect, companies will now only be able to sell personal data about California residents under the age of 17 if they've given you prior consent to do so.

Those aged 13–16 will be able to authorize the sale of their data themselves. However, in the case of children under the age of 13, it is required to obtain consent from a parent or guardian.

Right to Access

California users will have the right to access the personal data that companies store about them. They'll also be able to request you delete their data. However, you can decline this under certain conditions, such as when you need to keep their data to meet other legal requirements.

Consider the immense challenge that this presents enterprise organizations. Customer data can be stored across a variety of storage mediums. Today the cloud is becoming the first choice for storing such data exactly because it is so scalable, and it’s increasingly common for companies to store data across multiple clouds. Identifying and reporting on a single user’s data in all of those repositories is a task that is going to require an immense amount of effort..

You'll need to provide users with at least two ways of submitting access and erasure requests – one of which should be a toll-free telephone number. And you'll need to verify the identity of any such person who makes a request. Tracking those users’ data for when they make these requests is going to be up to you.

Who Must Comply?

The CCPA applies to any for-profit concern that does business in California, collects personal data about California residents, and meets one or more of the following thresholds:

  • It brings in annual gross revenues of at least US$25 million.
  • It collects personal information from 50,000 or more Californian residents, households or devices per year.
  • It generates more than 50% of its annual revenue by selling personal information about California residents.

Although the CCPA doesn't define what doing business in California means, you're likely to come under the definition if your business:

  • Is based in California.
  • Has employees in California.
  • Has connections with California through ownership of real estate or repeated sales to customers in the state.

CCPA compliance is therefore relevant to virtually any enterprise, regardless of where they're based in the world, as large-scale companies will far exceed the revenue threshold, have a global customer base and will, in all probability, do regular business in California.

Is CCPA the Same as GDPR?

No. GDPR is far wider in scope. For example, by contrast with GDPR, you don't need to obtain prior consent for simply collecting and processing personal data according to CCPA. But just because you're compliant with GDPR doesn't necessarily mean you comply with CCPA. Although GDPR and CCPA share many common features, you'll still need to meet specific requirements in relation to the sale of personal data.

Now let's consider some of the practical steps you'll need to take as you gear up to CCPA compliance. The following are five action points that will either directly or indirectly involve data controllers and compliance teams:Complying with the CCPA Law in Practice

1. Map Your Data and Information Flow

Start by drawing up a data inventory that covers all your enterprise IT environments. Then establish what information is classified as personal data under the CCPA. Bear in mind that the CCPA defines personal data as not only that which can be reasonably linked to an individual person, but also to a particular household or device.

You should also map the flow of data through your applications. This will help you identify which parts of your business may be using personal data about California citizens and what they're using it for. This will form the basis of your privacy policy. It will also help you determine whether you're selling any of that data and what CCPA compliance measures you'll need to implement accordingly.

In view of the CCPA thresholds that apply, it also makes sense to put reporting systems in place to inform you how much data you have about California citizens and the revenue you generate from it.

2. Ensure Your Personal Data Security

The CCPA sets out to address personal data security by giving the California Attorney General power to impose fixed fines in the event of a breach. However, these penalties only apply if you fail to protect personal data by means such as encryption or redaction.

So, if you've not done so already, you should encrypt your data wherever possible. But that is just a start. The challenge that CCPA presents goes well beyond encryption. You need to have the ability to find and identify the sensitive data that you’ve collected no matter where it’s stored across your cloud application data storage services. Manually, that process will be extremely time consuming and complex. Once this discovery and mapping takes place, the task of redacting and encrypting is simple.

3. Store Records of Consent

Make sure you maintain a record of consent for each and every California child that has given you permission to sell their data—or, in the case of minors under the age of 13, a record of consent from a parent or guardian.

Additionally, you'll need to store records of opt-out requests made by adults. Under the provisions of CCPA, you should not invite a user to opt back in for 12 months after they've opted out. So each opt-out record should also include the date the request was made.

These steps will not only give you a simple way to identify data you can sell and data you cannot, but will also ensure you have evidence to demonstrate CCPA compliance.

4. Update Your Website

First update your privacy policy by outlining what personal data you collect, why you collect it and how you process it.

Your website should also include clear details on how to make a right-to-access request, providing at minimum a toll-free telephone number. In addition, your privacy policy should explain how you verify the identity of the person who submits a request.

And don't forget to display a Do Not Sell My Personal Information link in an appropriate place on your website. Finally, you'll need to ask consumers for their age before you sell their personal data and seek relevant consent if they're aged 16 or under.

5. Raise CCPA Awareness

Keep in mind that CCPA compliance won't just be the responsibility of data controllers. Collaboration across your entire organization will be essential to a successful outcome, involving operations, development and security, legal and marketing teams in particular.

If you’re not already part of a compliance team, find out if you can become part of a company-wide compliance initiative. And if there isn't one then you should consider setting one up.

Conclusion: Privacy by Default

Organizations that have had to prepare for GDPR are better placed to respond to CCPA and have a clear advantage over their competitors as they prepare for new privacy regulations.

Many have learned that a privacy-by-default approach has opened up opportunities to drive new revenue—not only by serving as a differentiator in the privacy-conscious marketplace, but also by helping to reduce long-term spending on IT resources in today's data-driven business landscape. And of course, avoiding the hefty fines that CCPA can costs companies will be a great help to any company.

Despite these complex requirements, with the right processes and technologies in place, you'll be able to keep all your personal data safe, stay on the right side of the law, and be better equipped for other privacy regulation further down the line.

NetApp technology has always presented a safe and efficient way for data to be managed, and will continue to do so in a world with growing legal restrictions on how data is used.

New call-to-action

-