Getting into compliance with the California Consumer Privacy Act (CCPA) can seem like an overwhelming task. After all, the law is comprised not only of a dense statute and detailed regulations, but the amendment effective Jan. 1 added to the complexity by removing the exemptions for data collected in the employment and B-2-B contexts.
But there’s good news.
Businesses subject to the law can take the below seven steps to achieve full compliance. A word of caution, however: These compliance steps can take six to 12 months to complete and are best handled by working closely with data privacy counsel.
1. Inventory and map all consumer data, including employee and job applicant data.
Understand pertinent terms, such as “personal information” and “sensitive personal information,” a California “consumer” (including employees and job applicants), and what constitutes “collection” under the regulations to frame the scope of any data inventory or mapping exercise.
Consider the various sources, channels, or points at which you collect data from a consumer, and at what date and time the collection occurs. Evaluate the business purpose for which you collect and process any information and with whom it is shared. Are there any service providers or third parties that store or process any consumer data on your behalf? Identify the location in which data is stored and who has access to the data, and determine applicable retention periods for each category of personal and sensitive personal information collected.
2. Take appropriate steps to secure all consumer and employment-related data.
In support of the obligation to secure consumer data, you may be required to conduct an annual security assessment, depending on risk factors and the sensitivity of the data you collect or maintain.
The implementation of reasonable security procedures and practices may include a review of any cyber and/or information security policies and incident response plans. Any security review should evaluate the security measures of service providers, contractors, and third parties and include updating agreements to comply with CCPA requirements.
3. Prepare and provide a “notice at collection” to all consumers, including employees and job applicants, at or before collecting any consumer data.
Review the content requirements for the Notice at Collection and update for compliance with the CCPA regulations, effective March 29. Evaluate where data is collected (for example online, in-person, or telephonically) and ensure the Notice at Collection is available at such location. Make sure you distribute the notice to job applicants, as well as new and current employees.
5. Deploy a process to receive and respond to consumer requests from all consumers, a process referred to by many privacy practitioners as a DSR or data subject request.
Implement a consumer request process that can address all the types of requests a consumer can make under the CCPA, including the right to know, request to delete, request to correct, and request to opt out of the sale of personal information. Consumers can submit a request to correct information and request to limit the use or disclosure of sensitive personal information.
You must implement at least two methods for CCPA requests and adhere to strict response deadlines. In addition, you must implement a verification process to verify the identity of the person making a request.
6. Implement data minimization rules.
This includes a data retention policy and workflow for purging stale data for which there is no legal or business reason to keep.
7. Train all managers and employees on all CCPA requirements in which they play any role.
This may include those responsible for CCPA compliance and anyone directly interacting with consumers and providing information, notices, and forms, or assisting with the business’s response to any CCPA request.
Compliance with consumer privacy laws is not a matter of distributing templates that are turnkey or “plug and play.” Rather, compliance is an ongoing and individualized process, and all the requisite forms, templates, notices, and policies must be tailored to your business.