If you’ve already determined that the California Consumer Privacy Act (CCPA) applies to your business, the next logical step is to ask, “Are we already CCPA compliant?” Obviously, any business owner or manager would prefer for this to be the case—it means you wouldn’t have to take any further action and could get back to running to your business. Unfortunately, it’s unlikely that your business’s current personal-data collection practices already match 100% with all of the CCPA requirements.
CCPA compliance requires more than just posting a privacy policy; it requires businesses to keep track of consumers’ personal information in new, more systematic ways. This starts with creating a detailed data map that covers all of your business’s data collection points, storage locations, and disclosures to outside parties. Your business’s privacy policy is simply the public facing disclosure of your business’s privacy efforts. Much of what it takes to be compliant takes place behind the scenes.
This quick CCPA compliance assessment will help you understand the current state of your business’s compliance with the California data privacy law. It’s not a substitute for legal advice or talking to a compliance expert, but it will give a general idea as to what changes, if any, you must make.
The Complete CCPA Guide
Does the CCPA apply to your business?
Privacy Notices
Your business likely already has a privacy policy posted online, but the CCPA requires that it include some specific notices to California residents (“consumers”).
Does your current privacy policy:
- Tell consumers what personal information is collected, from what sources, and for what purposes?
“Personal information” is broadly defined by the CCPA, and includes everything from browsing history to biometric information to IP addresses. It will be very difficult to meet this requirement without first creating a data map. - Tell consumers how long you intend to retain each category of personal information?
In order to include this information, you will need to create a data retention policy. - Tell consumers what categories of sensitive personal information is collected, for what purposes, and whether that information in sold or shared?
The CCPA gives Californians the right to know, right to delete, right to opt out of the sale of their personal information, right to non-discrimination, right to correct inaccuracies, and right to limit use and disclosure of sensitive personal information. - Inform consumers of their CCPA privacy rights?
The CCPA gives Californians the right to know, right to delete, right to opt out of the sale of their personal information, right to non-discrimination, right to correct inaccuracies, and right to limit use and disclosure of sensitive personal information. - Provide instructions for making verifiable privacy requests?
Some requests must be verified by the business, with the level of verification depending on the personal information involved. You must provide clear instructions, and the process cannot be too burdensome. - Inform consumers they can make a request through an authorized agent?
Businesses can, and should, verify the agent’s permission to act on behalf of the consumer. These verification procedures should also be included in the privacy policy. - Tell consumers what personal information is disclosed to outside parties, and the categories of those parties?
Accomplishing this will require you to first classify all vendors to determine if they meet the CCPA definition of a “service provider.” Ideally, this information should also come from your data map. - Provide at least two methods of contacting your business and submitting requests?
At least one of these methods should be related to how you normally interact with consumers. I.e., if you normally interact with consumers online, you must provide an online contact method. - Tell consumers what personal information is sold or shared to third parties, and the categories of those third parties?
According to the CCPA’s definition, you may be selling or sharing personal information without realizing it. Common business practices such as using retargeting or behavioral advertising are considered sharing. - Provide information in a ADA-compliant manner that is reasonably accessible to users with disabilities?
The format and design should follow recognized industry standards such as the Web Content Accessibility Guidelines version 2.1.
Employees and Job Applicants
Employees and job applicants are now treated like any other consumers. Your business will have to make all required disclosures and extend the full range of privacy rights to these groups
If Your Business Sells or Shares Consumers’ Personal Information:
- Do you have a separate page or section of your privacy policy informing consumers of their right to opt out?
- Is there a clear and conspicuous “Do Not Sell or Share My Personal Information” link on your homepage?
This link should take the consumer to the page or section described above. - Do you have an online interactive form for submitting requests to opt out?
At least one of the two opt-out methods must be such a form.
Additional Privacy Notices
Your business may be required to include the following notices.
- Financial incentives notice
In some limited circumstances, businesses may offer financial incentives to consumers for opting in to the sale of their personal information. If so, the business must disclose the details of these incentives. - Consumers under the age of 16
If your business has knowledge that it sells personal information from consumers that are 15 or younger, it must provide information about how to obtain their consent. - High volumes of personal information
If your business collects the personal information of more than 10 million consumers, it must provide additional information. - Brick-and-mortar business locations
If you collect personal information at a physical store location, you must provide privacy notices there as well, include all information in your online privacy policy, and provide a toll-free number for making CCPA privacy requests.
Read more about the CCPA’s privacy notice requirements.
Responding to Consumer Requests
There are four different types of privacy requests that correspond to consumers’ rights under the CCPA: requests to know, requests to delete, requests to opt out, requests to correct, and requests to limit. Each of these request types has its own rules, requirements, and exemptions. This portion of checklist will help assess your business’s readiness to respond to privacy requests.
- Do you know exactly what personal information must be disclosed or deleted upon request, and where it is stored?
Without a thorough and up-to-date data map, it will be very difficult to know if you are fully complying with consumers’ requests. - Are there at least two methods for submitting consumer requests?
At least one of the methods should relate to the way your business normally interacts with consumers. - Do you have a designated email address for privacy requests?
While not necessarily required by the CCPA, it’s recommended to have all privacy requests and questions going to one inbox. - Do you have a clear verification procedure in place?
The level of verification needed varies by request type and the type of personal information involved. - Have you separately tracked sensitive personal information?
Consumers have the right to limit the use and disclosure of sensitive personal information, which requires tracking this data separately and know how limit its use. - Have you identified which personal information need not be deleted?
The CCPA contains a number of exceptions to the right to delete. Any data that fits in these categories should be identified in advance. - Do you have a way to deidentify or aggregate personal information?
Businesses can retain personal information that is deidentified or in the aggregate, even if the consumer submits a deletion request. - Have you created a process for relaying consumer requests to third parties, contractors, and service providers?
Third parties and service providers also must comply with CCPA requests, but it is your business’s responsibility to forward those requests. - Is there a clear process for stopping the sale or sharing of a consumer’s personal information upon request?
Businesses only have 15 days to respond to an opt-out request. - Are opt-out requests easy to execute, requiring minimal steps?
Making an opt-out request can’t require more steps than the process to opt in, and it can’t be designed in a way that discourages consumers from making the request.
Read more about handling CCPA privacy requests.
Data Security Requirements
Only the California Privacy Protection Agency or the Attorney General or can enforce most CCPA violations, but the law does create a private right of action for consumers in the event of a data breach. If consumers’ nonencrypted and nonredacted personal information is subject to unauthorized access due to a business’s failure to implement reasonable security procedures, they can recover either actual damages or statutory damages of up to $750 per incident. Though the CCPA doesn’t define what reasonable security procedures are, here is some general guidance.
- Does your business encrypt the personal information it collects?
Given the law’s emphasis on encryption, this is the logical place to start. - Are you using adequate and up-to-date cybersecurity tools?
As with any of these requirements, what is adequate will depend on the situation, including what personal information is involved. - Do you have physical security measures in place to restrict access?
Alarm systems, surveillance cameras, keycard access, etc. - Is employees’ access to personal information restricted as appropriate?
When providing employees access to sensitive personal information, a background check may be a reasonable requirement. - Do you conduct regular audits of your business’s data security policies?
Businesses should periodically update their system to close any gaps and prevent security breaches.
Read more about the CCPA’s private right of action.
