Meeting the requirements of the California Consumer Privacy Act (CCPA) can be daunting. It’s easy to understand the overall purpose, but the fiddly details of exactly what you need to do to comply are often harder to grasp.
Here’s a handy CCPA compliance checklist to assist you in making sure your website is compliant with this important consumer data law.
CCPA Compliance Checklist
Understand how CCPA applies to you
Are you exempt because you are a non-profit?
Do you meet the conditions for CCPA to apply?
Review your existing policies and practices
Identify the data you collect from consumers, the point at which collection occurs and how you use the data.
Assess your data policies for compliance with CCPA.
Adjust policies and practices
Privacy notifications at point of data collection.
Data request procedure and response.
Security controls up-to-date and appropriate to type of data.
Third party agreements checked to ensure compliance.
Employees trained on data handling.
Maintain your system
Stay alert to changes in data governance and regulation.
Ensure staff receive regular training.
Checklist to becoming CCPA Compliant
Let’s go through the checklist in a little more detail.
1. Understand how CCPA applies to you
a. Are you exempt because you are a non-profit?
CCPA only applies to for-profit organizations engaging in transactions with California residents. If your non-profit is owned or controlled by a for-profit parent company, the exemption may not apply.
b. Do you meet the conditions for CCPA to apply?
Even if you are a for-profit organization, the law only applies if you meet one or more of these conditions: annual gross revenues over $25 million; process personal information of 50,000 or more California residents for commercial purposes annually; sells personal information to generate over 50% of annual revenues.
2. Review your existing policies and practices
a. Identify the data you collect from consumers, the point at which collection occurs and how you use the data.
CCPA applies to personal data, so you need to be familiar with how this is defined: it is information that could be used to identify someone, either individually or as part of a household.
This includes the obvious personal data like name, address, passport or social security number but also email address, IP address and usernames, employment and medical history, and biodynamic data like fingerprints.
Your data inventory should make it easy to track what data is collected and on what points in your consumer journey.
b. Assess your data policies for compliance with CCPA.
Internal data policies should also set out expectations of how your employees and third party partners will handle data in accordance with CCPA.
3. Adjust policies and practices
a. Privacy notifications at point of data collection.
CCPA requires you to inform users what data will be collected, how each category of data is defined, and what their rights are under CCPA – for example, how to request deletion or disclosure of data, and the opportunity to use an opt out request to refuse sale of personal information. You need to be sure you meet CCPA cookie banner requirements.
b. Data request procedure and response.
You must plan your response to consumer’s requests so your system should be set up so customer requests to access their data can be fulfilled quickly and easily, within the 45-day time limit and free of charge. There should be at least two ways to request data disclosure, for example a phone line and email address.
c. Up-to-date security controls and appropriate to the type of data.
Data breaches can prove very damaging and costly for companies, so it’s important to be sure that you have appropriate controls in place to reduce risk. This should include an incident response plan to be used in the event of a breach.
d. Third party agreements checked to ensure compliance.
You are responsible for how your customers’ data is handled – even if it’s not you doing the handling. Ensure your third party agreements require partners to comply with CCPA and accept liability for breaches that occur. If you or your third parties collect data from users, it’s likely you’ll need a cookies policy on your website.
e. Employees trained on data handling.
What matters is how your system functions in practice, not what’s written in a document somewhere. The way that your workers manage data is all-important and regular training can help to prevent inadvertent breaches.
4. Maintain your system
a. Stay alert to changes in data governance and regulation.
The law doesn’t stay the same forever – make sure you watch out for developments in law that could mean you need to change your approach. This could be through case law that impacts how the law is interpreted, or new rules and regulations that bring change. Allocating this task to someone will help to ensure accountability, as it’s all too easy for it to fall between job roles.
b. Ensure staff receive regular training.
Workers need regular refreshers to ensure they remain compliant and to tell new staff what to do. A requirement to provide regular training might also be included in your third party contracts.
Achieve compliance the easy way
Do you need help in making sure your website meets the requirements of CCPA? The consequences of breaching the law include CCPA fines of up to $7,500 per violation levied by the California Attorney General, making non-compliance potentially very costly.
Let CookieHub advise you on best practice so you have a smooth, compliant service for customers. Explore our pricing page to discover the best solution for your needs.