California Consumer Privacy Act

What is the California Consumer Privacy Act (CCPA)?

California republicThe California Consumer Privacy Act, or CCPA, is a sweeping new regulation that became law in the summer of 2018.  The Act, which goes into effect on January 1, 2020, serves to enforce the privacy rights of California Consumers and mandates strict requirements for organizations that electronically collect, store, or process consumer’s personal information.   

This new regulation requires organizations to disclose to consumers what types of personal information they collect, for what purposes, and how it is used.  It provides consumers the right to restrict what organizations can and/or cannot do with their personal information.  For example, consumers can choose to opt-out of information sharing/selling programs of their personal information.  Consumers also can request access to their personal information or request that it be deleted or exported in a common electronic format. 

Organizations that do business with California consumers must quickly prepare to meet these new requirements.   This means understanding what types of personal information they collect, for what purposes, how it is used, stored, and protected.  It also means organizations need to be prepared to respond to consumers’ requests for the following; opt-in and opt-out of information sharing/selling programs, access-to, deletion-of and exporting of personal information.  Organizations are also required to make disclosures in the event of a security breach. 

The California Attorney General’s Office is mandated with maintaining and enforcing these new regulations.  The California AG’s Office will have the legal authority to apply civil penalties and fines for non-compliance.  This includes fines ranging from up to $2,500 to $7,500 per violation.  In addition, consumers can file class action lawsuits to recover damages $100 - $750 per consumer per incident.  The later has the potential for greater financial impact to businesses who suffer a breach where consumers’ personal information is exposed. 

Download the datasheet >

What This Means for Your Organization

The CCPA protects the personal information of California consumers.  The regulation applies to organizations worldwide who do business with California consumers.  Organizations that are subject to CCPA need to be aware of the following requirements and considerations: 

  • Require a business to make disclosures about the personal information it collects and the purposes for which it is used
  • Require the business to provide access to, deletion of, or exporting of California consumer’s personal information upon receipt of a verified request
  • Authorize businesses to offer financial incentives for collection of personal information
  • Prohibit a business from selling the personal information of a consumer under 16 years of age, unless affirmatively authorized, as specified (referred to as the right to opt-in)
  • The regulation voids any waiver of a consumer’s rights under its provisions

If this sounds complicated, that's because it is. To meet the CCPA requirements, companies (US & International) are required to make a number of significant administrative and technical changes to their data handling processes, including:

  • Implementing a privacy program, which must include requirements for right to erasure, processing restrictions, and defined processes for how data collection and consent is handled
  • Implementing a program to support consumers requests for access-to, deletion-of or porting of personal information 
  • Following specific data breach notification and privacy complaint requirements
  • Implementing the appropriate privacy policies, procedures, and notices
  • Implementing opt-in / opt-out programs for information sharing/selling

Our Approach

Our Privacy Program development methodology provides a framework that can help your organization:

  • Develop a strategy that engages both executive management and organization stakeholders
  • Develop and fine tune a privacy program based on your organization's business, goals, and objectives
  • Develop privacy policies, procedures, guidelines, and standards to meet applicable laws regulations
  • Define strategies for continuous improvement and success metrics
  • Provide CCPA training

Our Process

1. Define organizational goals and objectives

  • Identify external and internal requirements
  • Evaluate the current state and efficacy of implemented controls
  • Define program goals and objectives
  • Provide a gap report with actionable remediation recommendations for incomplete or missing controls
  • Develop a custom privacy framework aligned to your business and security requirements

2. Develop a management framework

  • Define Management and Stakeholder responsibilities
  • Develop or refine the privacy risk assessment methodology
  • Draft or revise policies, procedures, and supporting documentation
  • Develop strategies and processes for addressing consumer requests

3. Develop operational processes and technical controls related to privacy

  • Develop or refine privacy Standard Operational Procedures (SOPs)
  • Develop or refine privacy technical controls and requirements
  • Define privacy program testing procedures and metrics
  • Develop information management capabilities that support consumer requests

4. Provide Implementation Support

  • Provide project management support
  • Provide technical assistance
  • Ensure implementation is consistent with your privacy framework and controls
  • Perform technical and administrative review of your privacy controls