Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint //

Privacy

4/30/2019
02:30 PM
Chris Babel
Chris Babel
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

California Consumer Privacy Act: 4 Compliance Best Practices

Companies that get ahead of the January 2020 data privacy deadline can minimize the risk of sanctions and also gain a competitive advantage in the marketplace.

The California Consumer Privacy Act (CCPA) — the toughest privacy law in the United States — will go into effect January 1, 2020, with enforcement beginning no later than July 1, 2020.

The CCPA, like the existing EU General Data Protection Regulation (GDPR), broadly expands the rights of consumers and requires companies within scope to be significantly more transparent about how they collect, use, and disclose personal information. For compliance leaders, such as chief privacy officers (CPOs) and data protection officers (DPOs), the act represents an opportunity to operationalize privacy and make it a strategic priority for gaining competitive leverage. 

Who Should Care About CCPA?
In brief, anyone who has customers or employees in California should care. In greater detail, the CCPA affects companies that:

  • receive personal information from California residents either directly or indirectly, and that annually generate revenue in excess of $25 million;
  • receive the personal information of 50,000 or more California residents, devices, or households annually (directly or indirectly), or derive at least 50% of revenue from the sale of personal information about California residents.

While the effective date is January 1, 2020, consumers have the right to request the categories of personal information collected by companies within the preceding 12 months. This means that companies will need the records of personal information they collect dating back to January 1, 2019. Organizations that are affected by the CCPA and fail to comply risk being assessed fines of between $2,500 and $7,500 per violation.

CCPA Best Practices
To prepare for the impending regulation, CPOs and DPOs should secure a budget, develop the key processes, and evaluate tools that will help their organizations build and implement a compliance plan. The plan will need to include a comprehensive data inventory describing which business processes are in the scope of CCPA and where the gaps are in compliance processes. Compliance leaders should adopt the following best practices to help achieve CCPA compliance:

● Transparency in Policy Language. By January 2020, businesses must provide consumers with specific information pertaining to the new regulation. For example, consider when a consumer downloads a ride-sharing application. The user will receive a privacy prompt asking if they are OK with the company collecting certain information and must hit "accept" or a similar call-to-action button to either designate they understand the policy or that they would like to read the full policy. In addition, the app must also update those prompts to explain how the CCPA affects what rights users have related to privacy protection, and how those rights differ from pre-CCPA rights. To comply with this mandate, organizations must update privacy notices at least annually by describing how CCPA statutes affect data collection and users' privacy options, ensure those notices meet the transparency requirements of any applicable laws, and formally document that process.

● Looping in Data Processors. Businesses are now required to report consumer data deletion requests from a company's database to its service providers, which are also liable for civil penalties under the CCPA for noncompliance. If a retail company collects user data, it must also ensure it has evaluated and determined that any customer relationship management (CRM) service provider with which it works is compliant with CCPA regulations. Service providers must also ensure they have the requisite privacy processes and mechanisms in place to support companies that use their services.

● Recourse for Data Requests. Consumers will have the right to obtain, within 45 days, their personal information from a business. Consumers also have the right to request their personal information in a format that allows them to transmit it to another organization. To ensure compliance, organizations will need to review how they currently respond to data access requests, assess how well those processes work, address compliance gaps, and find ways to automate, scale, and simplify manual compliance-related processes.

● Data Deletion Standards. Consumers may request that businesses delete their personal information. Companies will need processes and mechanisms to respond to consumer deletion requests, identify where the data resides, and demonstrate to the customer that the information has been removed from their databases.

CCPA Is Not GDPR
Businesses that complied with GDPR by creating comprehensive data governance practices, records of processing, and individual rights procedures will have a head start on dealing with CCPA. However, under the CCPA, all companies that fall under the CCPA jurisdiction — whether or not they are affected by GDPR — will need to enhance their data management practices and expand their individual rights processes by the January 1, 2020, deadline. Companies that get ahead of CCPA compliance will not only minimize the risk of sanctions but be able to carve out a greater competitive edge over companies that lag behind.

Related Content:

 

 

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.

As CEO of TrustArc, formerly known as TRUSTe, Chris has led the company through significant growth and transformation into a leading global privacy compliance and risk management company. Before joining TrustArc, Chris spent over a decade building online trust, most recently ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 6/5/2020
How AI and Automation Can Help Bridge the Cybersecurity Talent Gap
Peter Barker, Chief Product Officer at ForgeRock,  6/1/2020
Cybersecurity Spending Hits 'Temporary Pause' Amid Pandemic
Kelly Jackson Higgins, Executive Editor at Dark Reading,  6/2/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: What? IT said I needed virus protection!
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-13881
PUBLISHED: 2020-06-06
In support.c in pam_tacplus 1.3.8 through 1.5.1, the TACACS+ shared secret gets logged via syslog if the DEBUG loglevel and journald are used.
CVE-2020-13883
PUBLISHED: 2020-06-06
In WSO2 API Manager 3.0.0 and earlier, WSO2 API Microgateway 2.2.0, and WSO2 IS as Key Manager 5.9.0 and earlier, Management Console allows XXE during addition or update of a Lifecycle.
CVE-2020-13871
PUBLISHED: 2020-06-06
SQLite 3.32.2 has a use-after-free in resetAccumulator in select.c because the parse tree rewrite for window functions is too late.
CVE-2020-13864
PUBLISHED: 2020-06-05
The Elementor Page Builder plugin before 2.9.9 for WordPress suffers from a stored XSS vulnerability. An author user can create posts that result in a stored XSS by using a crafted payload in custom links.
CVE-2020-13865
PUBLISHED: 2020-06-05
The Elementor Page Builder plugin before 2.9.9 for WordPress suffers from multiple stored XSS vulnerabilities. An author user can create posts that result in stored XSS vulnerabilities, by using a crafted link in the custom URL or by applying custom attributes.