CCPA (California Consumer Protection Act) went into effect January 1, 2020 and is now being enforced as of July 1, 2020. Let’s walk through if your organization qualified for this regulation and how you can prepare for it:
CCPA Requirement Summary
1- $25m of Revenue
On this point, there’s no indication that the CCPA revenue threshold of $25m is limited to CA-based revenue. The text of the statute does not limit the revenue to California and the Attorney General’s office has declined to clarify this point.
2- 50,000 California Consumer Records
The business alone or in combination, buys, receives for commercial purposes, sells , or share for commercial purposes, the personal information of 50,000 or more consumers, households, or devices. On this point, it appears that “consumers, households, or devices” are limited to California residents due to the definition of “consumer.” There is no clarity on what “receives” means so a conservative view would include everything (basically having 50,000 or more CA-related PI records).
3- Personal Information Sales
The business derives 50% or more of its annual revenues from selling consumers’ personal information.
Preparation for CCPA
Now onto some practical ways to ensure your organization is ready for CCPA, should you be audited. It can be a daunting project if you’re not sure how to navigate.
Here are 8 recommendations on how to best prepare:
Step 1: Commit to a cybersecurity program. The best way to avoid an audit is to proactively commit to a cybersecurity program which secures PII in your environment and prevents a data breach.
Step 2: Obtain board-level support of CCPA. Executive support will help align both the business and technical sides of the organization and ensure that you are in alignment minimizing potential gaps.
Step 3: Prioritize level of effort through a Gap Analysis.
Step 4: Ensure you have a list of all of your assets and map a data flow.
Step 5: Create Policies, Procedures and Processes to effectively manage CCPA.
Step 6: Implement a security program to secure personal information or partner with a firm like Cyber Defense Group for security advisory services.
Step 7: Ensure proper employee communication and training is completed.
Step 8: Monitor and audit for compliance regularly. Assessments should be created annually.
If you’d like more industry knowledge about these steps or what the auditors may be looking for during an audit, please request an appointment time below to discuss your particular needs.
We have General Counsel available to take your questions and can easily assess your environment.