What is CCPA compliance?
Introduction
The CCPA is the broadest law on data privacy in the United States. It stands for California Consumers Protection Act of 2018. The CCPA, passed by the State of California, responds to the increased role of personal data in modern business practices and the implications of personal privacy around the collection, use, and protection of personal data. The law provides customers or users access and control over personal information and allows them to have a role in determining how businesses and organizations collect, use, and distribute this data.
In the modern world, data has become central and is used in virtually all operational functions of professional and personal domains. The amount of data being produced increases by the hour. Many organizations today hold vast amounts of data. Without control and regulation, these organizations are likely to use the personal data they collect in whatever way they please. This is the reason there is a need for regulation such as the CCPA.
The CCPA provides protection against;
- Consumer Data Access
It aims to give consumers direct access to their data and give them the right to request information about how and why businesses and organizations are using their data.
- Collecting Consumer Data
This means that businesses and organizations are compelled to notify their consumers when collecting personal information and when a security breach compromises the data.
- Deleting Consumer Data
This states that consumers have a right to delete or modify their personal data held by an organization when they want.
- Selling Consumer Data
This means that consumers have a right to opt-out of any sales that involve their personal information. Businesses and organizations are required to notify their consumers when they are selling such data.
What are the steps to complying with CCPA?
Knowing your obligation to the CCPA
The very first step of complying with the CCPA is knowing your obligation. The Act clearly defines a consumer, personal information, and a for-profit legal entity. The Act further defines the role of each entity and what personal information entails. Further to personal information, the Act also includes any information identifiable to a household and not necessarily to an individual consumer.
Mapping Consumer Data
Any entity covered by the CCPA is required to map all the personal information under their control. According to the Chronicle of Data Protection, mapping personal data involves asking yourself questions such as; what personal information are you collecting or holding? How do you collect it? How are you storing it? Where are you storing it? Are you sharing it with any other entity? Are you using it for the stated purpose and that which is known by the owner? The Act requires that any entity holding personal information should provide it upon request by a consumer. This involves information held by a third party on behalf of an entity.
Updating Privacy Disclosures
The Act gives consumers the prerogative to be informed of the exact personal information is being collected by an entity from them. Businesses and organizations must therefore provide a disclosure at the point of collection of the personal information in order to comply with this requirement. The businesses must further provide the consumers with the purpose for which they are collecting the personal information. The covered entities are also required to disclose where personal information is collected from and any third party with whom the data is shared.
Handling Consumer Requests
The CCPA requires the covered entities to be ready to attend to consumer requests about their personal information allowed under the Act. The Act states that the requests must be attended to without charging the consumers within a timeframe of 45 days. This means that the covered entities must come up with appropriate procedures to handle consumer inquiries that include a copy of their personal information, what categories of their personal information are being sold, and request to have their personal information deleted.
Data Security
The CCPA requires that the covered entities should review as well as update their data security and privacy strategies and monitor for any data security breaches to mitigate the risk of any data loss. The Act provides for consumers to seek damages for any breach of personal information arising from the breach of duty to apply and maintain reasonable security policies and practices.
Summary
The CCPA is the California data privacy law regulating how organizations and businesses all over the world are required to handle any personal information belonging to the State’s residents. The law is a fairly new law that came into effect in 2020. As organizations continue to comply, be sure to look out for DQLabs Data Privacy Compliance to help you comply with the regulations defined by this Act.