Finger touching compliance icon on virtual screen showing the six steps towards a sustainable CCPA compliance program
Ready, Set, Sustain: Six Steps Toward CCPA Compliance by Daniel Barber, CEO at DataGrail

Ready, Set, Sustain: Six Steps Toward CCPA Compliance

With less than four months until the California Consumer Privacy Act comes into effect, the time to prepare is now.

The California Consumer Privacy Act (CCPA) is the first major piece of United States privacy legislation, but it won’t be the last. There are already similar bills in the works in Washington, Hawaii, Massachusetts, New Mexico, Rhode Island and Maryland. Introduced on June 28, 2018, the CCPA adopts much of its framework from the European Union General Data Protection Regulation (GDPR) – although there are some subtle differences. For example, the CCPA extends its protections to households and devices, not just individuals, and includes the right to opt-out of the sale of personal information.

If there is one lesson we learned from the May 25, 2018 GDPR deadline, it is that companies did not give themselves enough time to prepare. Anecdotally, we witnessed the public-facing work to update privacy policies and implement cookie banners, but was the same attention given to the tedious (and often manual) task of preparing data inventories behind the scenes? Are companies equipped to process consumer privacy rights requests like the right to deletion?

Our research suggests a lot of companies were blindsided by how much time and money it takes to sustain compliance. With less than four months until the California Consumer Privacy Act goes into effect on January 1, 2020, this article provides actionable steps for how to work toward a sustainable compliance program.

Data point one: Update your privacy policy

One of the first steps toward CCPA compliance is to update your privacy policy. Similar to the GDPR, the CCPA requires companies to disclose what type of data is being collected and the purpose of its collection; however, there are some subtle differences that may require separate policies for California consumers and European citizens. For the CCPA, protected data includes personally identifiable information, commercial data/sales transactions, internet activity, biometric data, geolocation data, employment data, educational data and metadata.

Data point two: Implement a notification banner

Hand-in-hand with an updated privacy policy, companies should be planning to implement a notification banner. This is necessary in order to inform users of both your compliance with the CCPA as well as their rights as an individual. If data is being collected from the consumer as soon as they enter the site, that must be communicated.

It’s important to recognize that updating your privacy policy and implementing a notification banner are only the start of compliance: readiness. Sustained compliance can be much more challenging to achieve.

Data point three: Build your data inventory

Sustained compliance is an ongoing process that requires granular visibility into dynamic business systems. It’s not uncommon for a Fortune 500 company to have more than 100 business systems that contain personal data, each operating independently. You could build your data inventory through manually-conducted surveys and questionnaires, but these static lists are time-consuming, error prone, and are immediately outdated – especially without an additional process to update them when new systems come online. Companies that seek to implement a sustainable compliance program should consider solutions that enable them to integrate business systems to streamline response to California consumer privacy rights.

Data point four: Establish a workflow to respond to consumer rights requests

Responding to California consumer privacy rights could introduce a second tedious process if your company has not prepared by integrating its business systems. The manual response to manage these privacy requests requires complex data inventories to inform multiple system owners of the data that needs to be deleted. This can become a rather expensive process since legal counsel is frequently employed to manage these requests.

Data point five: Hard deletes aren’t easy

One potential pitfall when responding to the right to be deleted is the difference between a hard delete and a soft delete. A soft delete, such as removing information from a dashboard, does not necessarily mean it has been deleted from your processor. A hard delete will typically require an email to your processor to ensure this data has been deleted, both by them and by their sub-processors. Again, this can become a tedious manual process when business systems have not been integrated.

Data point six: Third-party providers, all on one page

As evidenced by the complexity of managing hard deletes, it is critical to ensure that third-party service providers and partners that store protected data have also implemented a sustainable compliance model. Implement contractual obligations, such as a data privacy agreement, to ensure your partners are working toward the same standards as your company. And reconsider working with your service providers if they have not completed their associated data inventories or are unable to integrate with your business systems. The last thing you want is for your company to be penalized because of a mistake by your partners.

Coming into effect January 1, 2020, the CCPA creates many new compliance requirements for businesses. Preparing early will give companies an edge and decrease internal stress on businesses that are subject to the new law. Finding solutions that provide sustained compliance and figuring out where data currently lies internally will be keys to success. Evident from the implementation of the GDPR, taking action now is necessary for companies to be ready.