The California Consumer Privacy Act (CCPA) was passed on June 28th, 2018. Similar to the GDPR, the CCPA will require companies in scope to enhance data privacy management practices, expand individual rights processes, and update privacy policies by January 1, 2020. Those who have experience managing GDPR compliance know the importance and benefit of starting early. While some may have a head start, creating processes to manage new and ongoing compliance obligations under the CCPA will be a large undertaking of its own. Americaneagle.com and TrustArc, a leader in privacy compliance technology, have partnered to bring you 5 tips to help you jumpstart your CCPA compliance plan.
1. Start early.
There are two critical functions of your CCPA plan that will take more time than anticipated. The first is having time to obtain the budget and resources needed to close any gaps. In most cases, budgets are submitted several quarters before resources are allocated; getting a head start can ensure adequate funding for the technology or services needed to become compliant. Second, you will need ample time to build your team. Identifying people with the skills, knowledge, and experience necessary to join the privacy team can be quite difficult.
2. Understand fines associated with CCPA violations.
It is critical to investigate the magnitude of CCPA violations. Understanding the fines can help you articulate budget requests to your leadership team. The CCPA allows for fines of up to $2,500 per violation or $7,500 per intentional violation, but does not place a cap on the total amount of fines. The CCPA provides businesses with a period of 30 days to remedy alleged violations of the law before a fine can actually be assessed. For example, under the CCPA, a violation impacting 10,000 California consumers could carry a penalty of $25 million for an unintentional violation and as much as $75 million for an intentional one.
3. Secure a budget.
The budget must include all resources your team will need to address the requirements of your compliance program operations. When you’re planning your budget, consider the tools your team will need to analyze business processes associated with the CCPA. For example, the CCPA requires that companies meet the 12-month “look back” period. This means that consumers have the right to access their information for the past 12 months from the company holding the data. Using this example, the budget must include the use of any tools or technology your team will need to address this requirement. Furthermore, your budget should not be limited to the current year. As technology advances, and your business implements new processes that touch sensitive data, you will need to evolve your privacy program on an ongoing basis.
4. Leverage GDPR and other existing privacy program efforts.
If your company has implemented a GDPR compliance program, you can take advantage of that work and use it to help complete any remediations for CCPA. The resources used for GDPR can determine the different obligations for CCPA and resources can be distributed accordingly. Privacy teams can monitor the landscape for CCPA guidance specifics and fine tune any privacy programs as 2020 draws closer. If your company does not have to comply with GDPR, CCPA will have many new requirements that will take time to address, such as new consumer rights.
5. Organize your compliance program with these three pillars.
Creating a privacy program that’s compliant with the CCPA may sound like a daunting task. Focusing your efforts on people, processes, and technology will alleviate some anxiety and get you a head start on the compliance journey. We suggest that you keep these three pillars at the forefront of your planning process.
-
People - Identify the team members who will be responsible for conducting the tasks and whose informational inputs are necessary for a comprehensive assessment. Ensure that everyone involved is trained on the process and technology. Ideally team members will be well versed in data privacy management requirements and best practices.
-
Process - Design the workflow of information gathering and identify gaps against the requirements. Leveraging best practices and templates in questionnaire form instead of manual checklists will build efficiency. A business will likely need multiple templates to address different types of risk; however, a single template may be effectively used to address a set of processing operations that present similar high risks.
-
Technology - Privacy technology platforms with built-in digital data discovery, data inventory, DPIA / PIA and assessment templates, cookie consent, workflows, and reporting will enable a team to collaborate, guide the workflow process, serve as the central repository of compliance evidence, and facilitate ongoing periodic audits that reflect business changes.
Final Thoughts
Are you still anxious about CCPA compliance? Here's a practical guide to comply with CCPA requirements. Remember: companies both inside and outside of California will need to comply with the California Consumer Privacy Act. This guide will provide practical steps for implementing a CCPA compliance program, a CCPA to GDPR comparison, and immediate actions you should take for your CCPA compliance strategy.
Contact Us Today!