Before you go, check out these stories!

Hackernoon logo5 Things You Need to Know About CCPA Compliance by@shreyansh

5 Things You Need to Know About CCPA Compliance

Author profile picture

@shreyanshRSI Security

RSI Security is the cybersecurity firm that specializes in protecting data for companies worldwide.

The California Consumer Privacy Act (CCPA) is meant for those companies to comply with which have customers in the Golden State. The statute “represents a shift in perspective” for data. The state legislature has certain aspects that must be taken seriously by compliance practitioners if their companies are to be in compliance with it.

Given below are 5 such things that you need to know about the CCPA Compliance:

Companies subject to the CCPA Compliance must confirm the same. If yes, then do not just hand it off to the IT Team: Every organization is not subject to the California Consumer Privacy Act.

It is only applicable to businesses with gross annual revenues greater than $25 million, businesses buying, receiving or selling personal information of 50,000 more consumes or devices and businesses deriving 50 percent or more of their annual revenue by selling personal information of customers.

Additionally, it is not mandatory for for-profit businesses to be based out of California to be subject to the legislature. In case your company is subject to CCPA, then it does not mean that since the statute is about data protection and privacy, the company’s IT team be handed over its reigns.

It is more of a legal compliance thing, warranting that a business put together a cohesive team of legal, business and technology experts to assess all of its implications. This means that the team must have a CCPA Consultant as well as an RSI Security expert as well.

Companies must set up a schedule. They must also decide whether to extend CCPA protections to a company’s customer base in entirety or not: Companies must set up a timeframe, a realistic one that is, within which they need to strive to achieve compliance.

Unrealistic targets such as two weeks or three weeks is certain to result in massive failure and frustration. Rather, an organized and steady approach is far advisable in terms of adherence to the California Law. Companies must diligently create an inventory of their collection, usage and storage of data, especially personal information.

Other things that take time include developing processes for evaluation, responding to data access requests and training of employees. A predicament most companies are bothered with is whether they should give CCPA protections to their entire client base or not. 

This issue is mostly faced by companies that are very consumer-facing and depend heavily on direct relationships for a sounds reputation.

Companies need to go through their Online Privacy Notice once again and document robust security practices: Companies need to revise their online privacy notices. Including descriptions of the various categories of information, third parties with whom data gets shared and all the rights available to individuals under the statute is necessary.

Companies must also look into their internal policies and procedures, re-drafting them if necessary to include specific needs and uses of the organization. Documenting robust security practices with respect to CCPA means that businesses subject to the California Consumer Privacy Act must review information security processes against established data security standards such as the National Institute of Standards and Technology, CIS Critical Security Controls and International Organization for Standardization. IN the event of a data breach, documented records of such controls will help vindicate their stance of having enforced reasonable security.

Companies must have a subject data request process in place. They must also figure out where their data is. Under the California Law, verification obligations are important.

Businesses failing to comply with the same and failing to release personal information that may be malefic to the consumer stand the risk of facing litigation.

Hence, they should be ready to intake and effectuate access and deletion requests placed by consumers. They must also map personal information maintained by them or by service providers on their behalf.

To be specific, this includes personal info collected in the previous 12 months, the reason behind which it was collected and the types of entities to whom the data was disclosed in the precious 12 months. CCPA Compliance mandates data privacy disclosures into the offline domain.

Companies must review all vendor contracts and pro-actively begin to train employees. They must figure out names of all those vendors having access to personal information, pull out contracts and double check for data use language.

Accordingly, they must start putting amendments in place for contractual protections in order to restrict access to data. Compliance with CCPA needs intense training.

To be on the safer side, this training must be overseen by a team comprising a CCPA Consultant and RSI Security expert. Training personnel responsible for receiving consumer requests and acting upon them must be put under intense training in order to thoroughly understand the privacy program to reduce risk in business, both from a process perspective as well as a communication perspective. 

Besides these points mentioned above, these are a few other things about the CCPA that companies subject to it must know. Data according to CCPA is that personal data which identifies with, describes, relates to, is capable of being associated with or could personally/impersonally be linked with a particular household or consumer.

Companies subject to the CCPA and failing to comply with it can be sanctioned heavily, generally in the form of huge fines. The Attorney General can initiate a civil case against the company failing to comply even after 30 days upon being notified about it, with each violation warranting a fine of $7500.

This means that violating CCPA-guaranteed rights of up to 1000 users can result in a fine of $7,500,000. Finally, No, CCPA is not the California version of the GDPR. It is by any stretch of imagination not an extension of the GDPR. Though there may be some noticeable commonalities, the differences are substantial.

Differences include the entities they cover, information required in privacy policies, prior consent and sale of personal information. A CCPA-compliant privacy policy must contain the kind of information companies collect and process, the reason prompting them to do so, the way they do so, the manner in which users can request access, change, move and delete personal data, their method of verifying the identity of the person submitting requests and the sale of users’ personal data and the way in which they can opt-out of selling their data.

Author profile picture

@shreyanshRSI Security

Read my stories

RSI Security is the cybersecurity firm that specializes in protecting data for companies worldwide.


Join Hacker Noon

Create your free account to unlock your custom reading experience.