Steps You Need to Take to Comply with the CCPA
This is the third article in a series of four that I put together on the California Consumer Privacy Act, also known as the CCPA.
The first article discussed how to figure out if the CCPA applies to your business.
The second article reviewed some common misconceptions about the CCPA.
And in this third article, I'm going to cover what you need to do to comply with CCPA requirements.
The first thing you need to do to comply is update your website privacy policy.
The CCPA contains specific requirements that you need to address in your privacy policy. To make sure you are in compliance, you need to make sure those elements are included.
The second requirement is to add certain notice language on any page where you're collecting personal information.
This notice language needs to disclose what personal information you collect, and how you use it (or provide a link to your website Privacy Policy, if this information is disclosed there).
The third requirement relates to companies that may be involved in selling California resident personal information.
If you do sell personal information in the course of your business, you'll need to add a button to your website homepage —called the "do not sell my personal information" button — that will allow people to opt out of the sale of their personal information.
The fourth requirement is to set up a process to allow California residents to submit requests to access their personal information that you have in your possession, and also to delete that information.
The fifth requirement is to review your contracts with any service providers, such as your IT vendors, for example, to which you transfer California resident personal information.
Your contracts with those vendors have to include basic data privacy requirements, and this may require you to execute some contract amendments with some of your vendors.
The last thing to focus on is data security processes, and procedures.
You need to make sure that you're protecting personal information in your possession and respond in compliance with applicable law if you have a breach. There is some potential legal liability there, given that the CCPA gives data subject the right to sue in the case of a data breach. So, you want to make sure that you're protecting data to the greatest extent possible.
These are the key requirements to comply with the CCPA.
The CCPA went into effect on January 1st, 2020, and enforcement began on July 1st, 2020.
In the next video, the final one in this series, I’ll talk about how to roll out your CCPA Compliance Processes in your company.