5 Actions to Take Ahead of CCPA Enforcement

by Deana Fuller 0 Comments

Enforcement by the California Attorney General’s Office for the California Consumer Privacy Act (CCPA) begins July 1, 2020. As you’re most likely aware, the CCPA went into effect earlier this year to protect consumers’ personal information, including how it’s collected, stored, and shared.

According to the National Law Review, this legislation is estimated to impact 75% of California businesses. It’s important to note the CCPA has a 12-month look back requirement, meaning businesses will need to disclose their privacy practices over the past year. If your firm is based in California or serves clients who are, here are five actions to take to help you prepare.

  1. Map and Inventory Customer Data
    • Discover, identify, categorize and index all California resident and household data
    • Connect individual data to an identity
    • Assign residency to CA consumers and households
    • Maintain up-to-date and current documentation of CA consumer data flow maps
    • Record and monitor service provider/third-party data sharing flows
  1. Automatically Fulfill Consumer Data Rights
    • Create a process for data access rights, requests, and document workflows
    • Classify and categorize all data to be included in reports
    • Fulfill DSARs (fun fact: fulfillment is now 1 month from the day of request)
    • Automate reporting in response to requests
    • Validate data rights (including right to deletion)
  1. Update Policies, Opt-outs, & Disclosure Notifications
    • Publish CCPA specific website privacy policy
    • Consent and opt-out operationalization
    • Information security policies
  1. Define Breach Thresholds & Privacy Team Workflows for Breach Response
    • Determine whose data and attributes are impacted by the breach
    • Identify apps that have accessed the breached data source
    • Create breach data analysis workflows to facilitate response & notification
  1. Validate and Test (or, Plan, Do, Check, Act)
    • Access requests: response, accuracy, and comprehensiveness
    • Data flow maps for business process and associated attributes
    • Data deletion for data collection now and going forward
    • Data sharing with service providers/third parties, including business purpose and data categories

While the US has not adopted a comprehensive privacy law, individual states—starting with California—will continue to fill that gap. To ensure your firm’s compliance efforts are on track, Agio offers Privacy Consulting within its SEC Governance program. Led by a team of certified privacy professionals, we’ll partner with you to create a framework and strategy for a comprehensive data privacy governance program. Contact us to get started.