A step-by-step practical guide for the California Consumer Protection Act (CCPA)
There are thousands of articles on the web that analyze in-depth the legalese and jargon of the California Consumer Protection Act of 2018.
But as a business owner or data protection officer who handles California residents’ data, you want to know exactly what you need to do to follow the rules while avoiding hefty fines and customer complaints.
The California attorney general’s office enforces CCPA violations ranging from $2,500 PER EACH violation (non-intentional) to $7,500 per intentional violation.
This could mean per data field per person, and as we’ve seen with GDPR fines, these massive fines could be detrimental to your organization.
The California Privacy Rights and Enforcement Act of 2020 (CPRA), also called the CCPA 2.0, has been passed and will enter enforcement starting January 2023. The CPRA borrows heavily from its predecessor, so now is a great time to start if you are not yet CCPA compliant.
Let the following guide act as your roadmap to CCPA compliance.
By following this guide, your company will be able to meet the following obligations under CCPA:
The above six (6) obligations can be divided into different workstreams and addressed concurrently.
I also discuss the potential consequences of non-compliance, including hefty fines. This guide is intended to serve as a roadmap for businesses to achieve CCPA compliance.
Step 1 will help you determine if your company is in scope for CCPA and must comply.
The CCPA does not only affect California-based companies.
If your company collects the personal information of California residents and households AND the answer is “Yes” to ONE of the following three criteria, then you are in scope for the CCPA.
If you answered “No” to every question above, you are not a covered business under the CCPA.
This is broken into two parts: 1) personal information and 2) what is considered a California resident and household.
1.B.1. First, what is considered personal information?
If the data you collect can be used to identify an individual, household, or device, then it’s personal data. If you have customers or employees, then you collect personal information. Most common examples of personal data include:
Personal information publicly available, meaning publicly available in federal, state, or local government records, is NOT in the scope of CCPA.
Additionally, certain financial information and medical information regulated by the Health Information Portability and Accountability Act (HIPAA) are exempt from the CCPA. Step 6 has the complete list of CCPA exemptions.
So, does your organization collect personal information? If not, you are the lucky few where the CCPA does not apply to your business.
If you conduct business in California, it’s safe to assume that you have personal information of California residents as either customers or suppliers.
The CCPA covers only those domiciled in California, meaning they ordinarily live in California. Even if a California resident leaves temporarily, they are still in scope wherever they go.
For example, suppose Californian travel to New York and visits your site from New York (or anywhere). In that case, they’re in scope for the CCPA, and your organization must handle their data responsibly.
For that reason, most companies that conduct business in the USA and satisfy the above requirements in (1A) above widely choose to comply with the CCPA proactively.
Step 2 will walk you through identifying the data in scope, creating a data inventory, and developing a record of all the personal data you process for attestation purposes.
As we discuss in Step 4, your organization must be able to, at a minimum, tell California residents the categories of information you collect, disclose and sell.
Additionally, your organization must be able to give California residents access to the information you collect and honor deletion requests for data that is no longer needed, all within 45 days.
Therefore, your organization must be able to quickly locate personal information across all your business systems and data repositories. To handle this complex task, many organizations have created a centralized data inventory for CCPA compliance.
A data inventory is a list of data inputs and outputs for each business system and application. For CCPA, the inventory will focus on identifying the in-scope personal data and ensuring that your data handling practices meet CCPA requirements.
A data inventory is also vital for your business because it will act as a record for the data you process, which the Attorney General will request from you in case of an incident.
The following steps will allow you to create a data inventory:
2.A.1.1. Identify in-scope systems and applications.
Use resources like IT infrastructure diagrams, data flow diagrams, or network diagrams to create a list of systems and applications in your organization that handles personal information.
Suppose your organization does not have detailed diagrams. In that case, you can start with the IT assets that are sure to collect personal information, like payment gateways, eCommerce and order management software, and HR software.
Tracking the data flows from these systems either through automated integrations or manual processes. Interview system and applications owners to determine possible system integrations and interview users to see if data is transferred from these systems via manual processes (e.g., download and send).
2.A.1.2. Categorize data assets based on CCPA requirements.
Consult with your legal team on how to catalog and categorize the data assets of the affected teams. The categories of personal information and associated data fields as defined in the CCPA are as follows:
|Category||Data Fields (not exhaustive)|
|Identifiers||Name, alias, postal address, unique personal identifier, online identifier, Internet Protocol (IP) address, email address, account name, social security number, driver’s license number, passport number, or other similar identifiers|
|Customer records information||Name, signature, social security number, physical characteristics or description, address, telephone number, passport number, driver’s license or state identification card number, insurance policy number, education, employment, employment history, bank account number, credit or debit card number, other financial information, medical information, health insurance information|
|Characteristics of protected classifications under California or federal law||Race, religion, sexual orientation, gender identity, gender expression, age|
|Commercial information||Records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies|
|Biometric information||Hair color, eye color, fingerprints, height, retina scans, facial recognition, voice, and other biometric data|
|Internet or other electronic network activity information||Browsing history, search history, and information regarding a consumer’s interaction with an Internet website, application, or advertisement|
|Audio, electronic, visual, thermal, olfactory, or similar information||Professional or employment-related information|
|Education information||Information that is not “publicly available personally identifiable information” as defined in the California Family Educational Rights and Privacy Act||Inferences||Preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, aptitudes|
2.A.1.3. Prioritize your systems and applications based on risk.
Focus first on the riskiest scenarios for CCPA compliance (i.e., where you are most likely to see regulatory and customer pressure first).
For example, systems that process sensitive data categories like characteristics of protected classifications or biometric or geolocation data should be prioritized over systems that process low-risk identifiers like name or email.
If manually identifying and mapping personal information in your infrastructure is too daunting a task, several third-party software applications on the market automatically scan your business systems to identify instances of personal data. Popular examples include:
OneTrust — a comprehensive privacy management technology platform that helps organizations demonstrate accountability and compliance with global regulations like GDPR.
Big ID — capture and manage technical, business, and security metadata across your entire data environment. Automatically catalog and map sensitive & personal data with deep data insight, incorporating active metadata and classification.
The result for step 2 should be a functioning, centralized data inventory that can serve as a record for your business’s data processing activities.
We recommend the following:
Once you have all the policies generated, send them to your legal team for review. Be sure that this policy accurately includes all the categories of data you collect, how you process and assemble it, why, and if you sell it. Most of the time, your legal team will not have specific knowledge of your data processing activities, so they will not be able to correct them.
The CCPA requires businesses to notify consumers before or at the data collection point that the business wants permission to collect this data. (Notify, but not get consent, as the GDPR mandates) — In CCPA speak, this is known as the Right to Disclosure.
This means that websites can load cookies but must notify the customer and provide them with an easy way of opting out.
The first step is to gather information on all the cookies for each of your site pages, identify who owns them (internal or third party), and describe what the cookie does with personal information.
Hopefully, there is a defined list of users/teams that have access to your site code, like your security team or marketing team.
Contact these teams to see if they have placed any cookies on your site and for what purpose or allowed a third party to place cookies (common examples include Snapchat, Facebook, Pinterest, etc.).
When a user lands on your site, you must notify them of the collection of cookies immediately. Common practice is to include a cookie banner — the pop-up that appears on most websites informing you of their collection of cookies.
For example, go to https://trustarc.com/ and look at the bottom of the screen.
Sample cookie banner language:
The cookie banner should:
If you don’t have the in-house capabilities to create an opt-out mechanism for cookies, consider purchasing online tools to automate your Cookie Consent Management. Companies like TrustArc and OneTrust provide plug-and-play software capabilities to manage cookies on your site.
Step 4 will walk you through what rights are granted to users under the CCPA and how your organization is expected to fulfill the user’s requests.
First and foremost, your company must provide contact information for customers to exercise their rights. Once you receive such a request, your company must verify its identity before proceeding.
Your company must provide digital and non-digital methods customers can contact to exercise their rights. At a minimum, you must provide a toll-free number and a web address.
Common examples include a specific email inbox, phone number, mailing address, or self-service feature designed for rights requests specifically.
You may also use established channels like call centers, online chat features, email inboxes, etc. Still, you will have to train your employees/AI chatbots to direct these customers through the proper channels to your data privacy team or whoever handles consumer rights requests (CRRs).
4.A.1.1 Determine the people involved. Who are the stakeholders involved in your process? Who will your customers instinctively contact when they want to exercise their rights? This should include system/data owners, call center personnel, and your data privacy team. Consider making a RACI chart.
4.A.1.2. Develop a concrete, step-by-step process that walks the stakeholders through the specific process for your company. The process should include:
4.A.1.3. Automate & Templatize. You should seek to automate these workflows using whatever existing tools you have at your disposal. As mentioned, the rights requests must be fulfilled in 45 days, so any delays in the information chain make all the difference.
Additionally, create templates of your intake forms and responses for each below rights and their various scenarios.
Responses can be delivered either electronically or by mail.
Before granting their rights to a customer, your company must do its due diligence to verify the requestor’s identity to avoid identity theft and fraud. You can also use this process to confirm that they are a resident of California.
4.A.2.1. For a request seeking access to specific pieces of personal information (see step 4.B.), the business must verify the consumer’s identity to a “reasonably high degree of certainty,” which may include matching at least three “reliable” data points in the same manner.
Depending on what information you collect, examples could include:
And for liability purposes, your company should collect a “signed declaration under penalty of perjury that the requestor is the consumer whose personal information is the subject of the request.”
4.A.2.2. For a data deletion request (see step 4.C.), the business must verify the consumer’s identity with certainty, based on its unauthorized deletion’s risk of harm to the user. For example, deletion of Employment or Order history is more sensitive and potentially harmful than deletion of an ancient shipping address.
Here is a great example of a self-service request and verification form:
4.A.2.3. Templated scenario
If Verification is unsuccessful, provide the customer a notice that they are unverified and do not qualify for their request at this time.
If Verification is successful, you may proceed to fulfill their rights request.
Many verification tools, like selfie verification or driver’s license verification software, produce variable verification types. Choosing the right one for your organization depends on the sensitivity of the personal data you collect and the number of requests you receive as an organization.
Under the CCPA, any California resident can exercise their Right to Access & Information, which means that they can request from your business the following:
Your company must respond within 45 days from their request, with an additional 45-day extension period available when necessary for a giant or complicated data request.
The CCPA also imposes a 12-month lookback from the time of the request, meaning that the user can ask for the above information only up to 12 months from the request time.
It also mandates that the user receive this information in a readily usable format that allows them to transmit it to others without undue hindrance. Responses can be sent electronically or by mail.
With some exceptions, the CCPA permits consumers to request that your business delete personal information collected about them on your systems and the direct service providers with which you’ve shared the personal data.
Once you’ve received and verified a deletion request, notify your service providers immediately to have ample time to satisfy the request.
Your company will still be held entirely accountable for ensuring service providers fulfill their obligations.
Your company must respond within 45 days from their request, with an additional 45-day extension period available when necessary for a giant or complicated data request. Responses can be sent electronically or by mail.
Deletion is not required if the business needs personal information:
Even if your company falls under one of these exceptions, there still exists a 45-day period to respond to the customer and explain why you cannot fulfill their deletion request.
Under the CCPA, consumers can opt out of the “sale” of their personal information.
A “sale” is loosely defined as transferring personal data to a third party for any financial compensation beyond the original purpose of the data collection.
To exercise this right, businesses that sell personal information must provide a “Do Not Sell My Personal Information” button/link on the business’s homepage that guides the user to a web page where consumers can opt out of having their personal information sold to third parties.
It’s also best practice to include a link on your landing page or at the footer of your website.
Reference: Coca-Cola footer
Your company should default not to sell consumers’ personal information when they are 13-16 years old.
Still, your company must create a process to allow them to opt-in.
Under the CCPA, consumers can opt out of processing their personal information for marketing purposes, either by the company or a third party.
The CCPA prohibits businesses from discriminating against consumers for exercising their CCPA rights. Specifically, the business may not:
Wherever feasible for your business, maintain a record of the entire process of the rights request.
Analyze your third-party agreements with those businesses with which you share personal data, and determine if they have addendums regarding CCPA.
Businesses are allowed to share personal information with third parties and service providers for business purposes, as long as there are stipulations in the written contract that prohibit the third-party service provider from selling the personal information themselves or using the personal data for any purpose other than the specific purpose of performing the services specified in the contract.
So, if you haven’t already, reach out to your third parties and service providers to understand what they do with the information you share.
If necessary, create addendums to your written contracts with detailed data usage requirements and retention policies. You may have to switch service providers that cannot comply with your business standards.
Understand if any exceptions cover you.
Employee personal information is excluded from most of the CCPA’s requirements.
These include the rights and requirements that permit consumers to request:
This exclusion does not refer to all “employee” data regardless of context. Specifically, the exclusion applies to personal information collected by a business such that the person is acting as a job applicant, or an employee, owner, director, officer, medical staff member, or contractor of that business, and to the extent the personal information is processed within the context of the person’s role or former role.
Employees are still entitled to a privacy notice. Additionally, employees are entitled to commence a private right of action if affected by a data breach caused by negligence by the employer to maintain reasonable safeguards.
The CCPA does not apply to medical information covered by the Confidentiality of Medical Information Act (CMIA) or protected health information under the Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009.
The above guide has been a legalese-free, step-by-step guide for data privacy officers, business owners, and project managers to kick off their journey towards CCPA compliance.
You need to understand what personal data you collect, and process to better exercise the rights of your customers and better safeguard valuable data. We hope you can use the above list to kick off the workstreams.
It’s essential to remember that regulations currently drive data privacy strategy; however, someday, that may not be the case.
While compliance with regulations should be a bare-minimum strategy, consider that your customers hope to work with a business they can trust.
And trust starts and ends with privacy, so make sure that you give your customers the data privacy they expect, not just what is mandated by law.
As always, check with your legal team that your strategies align with your company’s legal counseling.