What This Means for Your Organization
The CCPA protects the personal information of California consumers. The regulation applies to organizations worldwide who do business with California consumers. Organizations that are subject to CCPA need to be aware of the following requirements and considerations:
- Require a business to make disclosures about the personal information it collects and the purposes for which it is used
- Require the business to provide access to, deletion of, or exporting of California consumer’s personal information upon receipt of a verified request
- Authorize businesses to offer financial incentives for collection of personal information
- Prohibit a business from selling the personal information of a consumer under 16 years of age, unless affirmatively authorized, as specified (referred to as the right to opt-in)
- The regulation voids any waiver of a consumer’s rights under its provisions
If this sounds complicated, that's because it is. To meet the CCPA requirements, companies (US & International) are required to make a number of significant administrative and technical changes to their data handling processes, including:
- Implementing a privacy program, which must include requirements for right to erasure, processing restrictions, and defined processes for how data collection and consent is handled
- Implementing a program to support consumers requests for access-to, deletion-of or porting of personal information
- Following specific data breach notification and privacy complaint requirements
- Implementing the appropriate privacy policies, procedures, and notices
- Implementing opt-in / opt-out programs for information sharing/selling