Understanding the CCPA
Another day, another framework. Except, if you’re a SaaS company potentially working with Californians’ personal information, listen up! The California Consumer Privacy Act (CCPA) is state legislation that sets data privacy rights for Californian residents. Now, how does that affect your business? Well, suppose your website obtains and handles data on Californian residents. Tag – CCPA applies to you.
So what is this ‘CCPA’ all about? For starters, the CCPA and the GDPR have much in common as the CCPA is more than just inspired by the GDPR; it’s based on its principles. This makes the CCPA the first comparable data privacy regulation in the United States. We discuss this at length in our blog CCPA vs. GDPR: Navigating Data Privacy Regulations for SaaS Companies, which is worth checking out. But for now, let’s zoom in on CCPA and what it means for data privacy and safeguarding personal information in a digital era. More importantly, how can you make sure your company is compliant?
But first, let’s double-check who needs to comply with CCPA.
Is My Business Subject to CCPA Compliance?
Let’s cut to the chase – is this even relevant to your business? In brief, the CCPA will apply to all businesses that come into contact with data from Californian residents and that, as it currently stands, meet one of the following thresholds:
- The annual gross business revenue exceeds $25 million.
- A business receives or discloses the personal information of 100,000 or more California residents, households, or devices each year.
- A business makes 50% or greater annual revenue from selling California residents’ personal information.
As it currently stands, the CCPA only extends to for-profit companies established in California and entities that “indirectly” qualify as doing business (i.e., parents and subsidiaries of companies established in California).
This begs the question, “If my business isn’t based in California, why would I be worried about compliance?”
To clarify, for organizations located outside of California, if they were to transact with California residents, it’s critical to confirm whether they collect the personal information of California residents, as the scope of the CCPA is secured to the residency of the consumer, and its purpose is to protect the rights of residents in California.
The Key Requirements of the CCPA
We must first look at the vital privacy provisions to better understand what is required to comply with the CCPA. This includes the following:
Right to Know:
Upon request, organizations must give consumers the right to know exactly what personal information they will collect about them and how it is used and shared.
Right to Delete:
The CCPA gives consumers the right to request that organizations delete personal information collected from them (with some exceptions), and organizations must comply.
Right to Opt-Out:
Under the CCPA, consumers can opt out of selling or sharing their personal information. Therefore, organizations must provide a clear and conspicuous link on their website to opt out of selling their personal data.
Right to Limit Use and Disclosure of Sensitive Personal Information:
The CCPA grants consumers the authority to control and restrict the utilization and sharing of sensitive personal information gathered about them.
Private Right of Action:
Organizations must safeguard the personal data of California consumers. Consequently, consumers can take legal action against an entity directly if it fails to protect their personal information using encryption or redaction adequately.
Organizations must establish clear and detailed privacy policies that include specific information. Additionally, these policies should be reviewed and updated at least annually to reflect current practices and compliance. This information should provide consumers with a written statement outlining the entire online and offline practices for collecting, using, sharing, and selling consumers’ personal information.
When navigating CCPA compliance and the core privacy provisions, it’s important to note that these particular privacy provisions go far beyond mere contact information.
Data and information (even without contact information) can still fall under CCPA compliance if they can still be used to identify a person. For example, data types under the CCPA include an address, household income, and other specific information that can identify a consumer.
CCPA Compliance at a Glance: How to Prepare for CCPA Compliance
Although some privacy provisions may seem straightforward, as with all things in the compliance landscape, implementing the needed regulatory requirements isn’t always as easy; getting CCPA compliant is no different and often involves navigating through a few (okay, quite a few, actually) complexities. Fortunately, we’re here to guide you through the process one step at a time.
Appoint a CCPA team: You need to rally the troops for this one. The first step to successful compliance is to appoint a dedicated team responsible for upholding the relevant data privacy standards, explicitly focusing on CCPA compliance and how it impacts every part of the organization.
Create a data inventory: This is your treasure chest of data that needs protecting. But first, you need to fine-comb through your data collection processes and their flow across systems so you can accurately establish a blueprint for implementing cybersecurity safeguards.
Conduct an extensive risk assessment: Risk assessments are essential in ensuring you don’t miss any critical gaps or ignore potential red flags. It also enables organizations to take a proactive approach to risk mitigation. It helps promote a strategic risk-based way to identify potential vulnerabilities and the needed security controls for remediation.
Implement security controls and data protection tools: Understanding the categories of third-party service providers and contractors and their roles in data processing is also crucial for CCPA compliance. This is where you need to put the money (or controls, rather) where the mouth is and implement the proper information security controls to ensure you have done your due diligence regarding data security. This step also requires the most technical knowledge, which is why many organizations may involve third-party solutions or custom codes to enforce access controls and safeguard data.
Create and implement data privacy policies and governance: By now, you have probably come to know that compliance and policies are glued to the hip. You can’t have one without the other. Therefore, you must create thorough policies pertaining to your data management, including how you oversee consumer data mitigation, monitoring, vendor access, and risk management within the supply chain.
Maintain an audit trail: Speaking of policies, during your CCPA compliance journey, it’s essential to maintain an audit trail documenting all policies and procedures related to data privacy.
Some businesses must conduct cybersecurity audits to prove compliance with the CCPA, though not all. The cybersecurity audit will evaluate and record the company’s cybersecurity measures, considering its size, complexity, and data processing activities while also considering current technology and implementation costs.
During all these steps, it’s vital to continuously provide CCPA compliance training for employees, particularly those in customer-facing roles. Educating staff about CCPA essentials, compliance requirements, procedural updates, and system changes is crucial for adherence.
Stress-Free CCPA Compliance With Scytale
Fortunately, you don’t have to rely on doom-scrolling the internet or the nightmare of playing compliance catch-up – not when you have us in your compliance corner. At Scytale, we simplify compliance and cut out the CCPA heavy lifting! How? From collecting evidence automatically verified for key CCPA requirements to helping you complete a simplified and tailored self-audit with your dedicated compliance expert.
Meet YOUR VERY OWN CCPA EXPERT here and keep your cool while staying 100% CCPA compliant.