Countdown to CCPA: Part 1
You’ve determined that your business is subject to the California Consumer Privacy Act (“CCPA”) and are engaged in your CCPA assessment and compliance efforts. January 1, 2020 is close. It’s time to measure your CCPA implementation progress.
This post is the first of three articles to help you assess your compliance progress to help meet upcoming CCPA obligations.
Data Inventory and Mapping
Data inventory and mapping is critical to determination of which personal data is subject to CCPA and to consumer access rights and other CCPA obligations and to make decisions and assessments necessary to ensure compliance.
Privacy professionals ask the following questions about personal data: What? How? When? Where? Why? Who? This information gives us the background we need to assess the privacy compliance implications of a business’s use of personal data.
WHAT personal data do you collect?
- Is the data identified to the individual consumer?
- Is the data identifiable to the individual consumer?
- Is the data element of the type that is included in the CCPA definition?
- Is the data element excludable from the CCPA (GLBA? HIPAA? publicly available?)
HOW do you collect it? Use it?
- Is the data affirmatively submitted by the consumer?
- Is the data passively or silently collected?
- Is the data collected by third parties?
- Sources of data?
WHEN do you collect it?
- Before the customer relationship is formed?
WHERE do you collect it? Store it?
- Website?
- In person? By phone?
- Electronically collected? Stored?
WHY do you collect it?
- Purposes of collection, use, retention?
WHO has access to the data?
- Internal access vectors?
- External access vectors?
- Purpose of sharing?
- What do you get from the third party for sharing the data?
- Third party nondisclosure agreement in place?
- Who uses the data for their own purposes?
- Do any third parties share data with fourth or fifth parties?
- Do you sell personal data subject to the CCPA?
Consumer Rights
The CCPA gives consumers substantive rights intended to facilitate control over their personal data.
Have you established processes to ensure that consumers may send to you and you can honor a request to:
KNOW
- the categories of personal data that you collect or sell about them?
- the categories of sources of data?
- the purposes for collecting or selling the data?
- the categories of third parties with or to whom the data is shared or sold?
- specific types of data collected?
OPT OUT of sales of their personal data?
DELETE certain types of personal data?
VERIFY consumer requests?
RESPOND to the request within 45 days at no cost to the consumer?
DETERMINE when an extended response or charge may be permissible under the CCPA?
Do you have procedures in place to
- address personal data of minors (16 or under)?
- ensure that there is no discrimination against consumers who have exercised their CCPA rights?
Practice Pointers
When conducting due diligence for an automated compliance solution, look for a platform that allows you to keep track of data elements and categories, third parties to whom data is sold, the purpose of data collection and other data attributes. Your solution should serve as the backbone for responding to consumer requests. Look for a solution that automates mechanisms for consumers to exercise their CCPA rights that facilitates management of the process of reviewing and fulfilling requests.
By Paige Boshell, Privacy Counsel LLC (Please note that this article is not intended as legal advice and is a high-level overview of some of the more significant CCPA requirements. Please contact legal counsel for a thorough description of CCPA obligations and how they apply to you.) © CENTRL, Inc. 2019