In this post, I’m going to show you things you should be doing to prepare to comply with the California Consumer Privacy Act.
These are the exact steps that we are using with all of our compliance consulting clients in 2019.
Let’s dive right in.
- 1. Figure out if your organization has to be compliant
- 2. Perform a personal information collection review
- 3. Map out data relationships
- 4. Review policies and procedures for handling personal info
- 5. Update your organization’s privacy policies
- 6. Prepare for meeting consumer opt-out and deletion requests
- 7. Review contracts with third parties
- 8. Conduct audits of service providers with access to personal information
- 9. Review security controls and practices
- 10. Implement data encryption policies
- 11. Train employees about the California Consumer Privacy Act
Note: This is not an exhaustive list of the steps an organization should take to comply with CCPA by any means. Instead, it is a list of starting points.
FREE CALIFORNIA CONSUMER PRIVACY ACT DATA MAPPING TOOL
We have developed a tool that we use EVERY time we start mapping data for our clients. It’s an essential part of our privacy toolbag. We decided we would share the tool with you. Do you want it?
1. Figure out if your organization has to be compliant
The first thing that you need to do to prepare for compliance with the California Consumer Privacy Act is figuring out if you have to be compliant.
So, who must with the California Consumer Privacy Act (CCPA)?
Basically, any organization that meets one of three criteria. They are: 1) Organizations that serve California residents and have at least $25 million in revenue or 2) organizations that have personal data on more than 50,000 people, or 3) organizations that get more than half of their revenue from selling personal data.
If your organization performs any of these actions, it must comply with the law.
I will add this:
Every organization should get familiar with the principles of CCPA though.
There’s definitely a push for more privacy in the United States; if you begin implementing the principles now, your organization will be ready when sweeping privacy regulations come.
Let’s look at each of these criteria a little closer.
This is one is pretty self-explanatory.
If your organization has an annual revenue of $25 million or more, it has to be compliant with CCPA.
The one thing that may confuse people is this:
The law applies to any organization with that revenue level that collects information on California residents.
Even if the organization is not centered in the state.
They can be anywhere.
Amount of Personal Data Criteria
This California Consumer Privacy Act compliance criteria could be a little more confusing.
No worries though,
We’ll keep it super simple.
Basically, if your organization has the personal data of more than 50,000 consumers, households, or devices, you must comply with the regulation.
Here’s why it’s easy to get this wrong:
You need to understand what the California Consumer Privacy Act is calling personal data.
The regulation has quite a list of items that make up personal data.
What exactly is personal data under CCPA?
In general, personal information under the California Consumer Privacy Act is any information that can be used to identify an individual or household as well as any information that could reasonably lead back to the consumer. It’s quite a list of specific items.
- Real name
- Postal address
- Any unique personal or online identifier such as:
- IP addresses
- Email addresses
- Account names
- Social security numbers
- Driver’s license numbers
- Passport numbers
- Bio-metric information (iris scans, retina scans, fingerprints, hand prints, etc)
- Internet activity like browsing or search history, interactions with your organization’s website, or advertisements
- Geo-location data
- Any type of audio, visual, or thermal imagery
- Professional or employment information
- Information about education
- Any inferences made about individuals
As you can see, that includes a lot of data types.
And it’s very easy to qualify under this criteria.
If your organization’s website gets a decent amount of traffic, that alone could force you to be compliant with the California Consumer Privacy Act.
138 website visitors a day is over 50,000 a year.
That alone would make an organization have to comply with CCPA.
2. Perform a personal information collection review
Figuring out what personal information your organization collects is super important.
In fact, it’s the basis for everything else you will be doing.
So, it goes without saying:
Make sure you are thorough and patient when completing this step.
Let’s look at exactly how to perform this internal review.
Step 1: Begin by asking each department to brainstorm any kind of data they collect about people.
Have them create a list of this data.
Step 2: Ask all of your employees what kinds of personal data they deal with on a daily basis.
They are the ones doing the work.
So, they will know best what they are handling.
Step 3: Be sure not to forget anything.
There may be places that your organization collects personal data that you’re not aware of.
For example, under the California Consumer Privacy Act, an individual’s IP address is considered personal information.
So, if your website has any kind of SEO, or security software, it’s likely they collect and process IP addresses.
It costs about $2100 and can help reduce labor for data discovery.
The tool allows you to specify compliance standards in network scans.
Some platforms like Azure and Office 365 even have the capability to perform scans built in.
3. Map out data relationships
Customers’ right to know what data is collected and who it is shared with is a huge component of the California Consumer Privacy Act.
To be able to meet this demand, organizations have to create data maps.
They need to be able to show the scope of personal information being collected, how it is used internally, whether it’s sold to or shared with third parties, and the purpose that it’s shared.
That’s a lot to keep up with!
As you can see, mapping data relationships is vital.
Let’s see how you can do this easily.
First, setup a spreadsheet that you can use for the process or GET OUR FREE DATA MAPPING SHEET HERE.
Data Discovery Note: While there are tools that you can use to search for data within your organization, I recommend that you take the manual route first.
It will help you get a clear picture of the data your organization collects.
Once you have completed the data map, then you can use an automated data discovery and mapping tool to ensure you haven’t missed anything.
Most tools will usually also help your compliance officers ensure data remains in the right places.
Using the Free Data Mapping Template, the first thing you’ll need to do is fill in the source of the data being collected.
In my case, I will put “request for more information form.”
That’s the name of my form on my website.
It may be useful to come up with a standard naming convention. Something like:
That’s entirely up to your organization though.
Now, we’ll keep moving though the columns carefully filling in all of the information needed for California Consumer Privacy Act compliance and to meet consumer requests.
4. Review policies and procedures for handling personal info
The California Consumer Privacy Act definitely seeks to change the way that organizations treat California Residents’ personal information.
This change in treatment begins inside of organizations.
One of the first ways that organizations will need to begin implementing this is by reviewing policies and procedures.
Let’s talk about what needs to be included.
First, you’ll want to make sure that your organization has an organized way in which personal data is handled.
Here’s what I mean.
The typical file system set up in an organization looks like this:
There’s a central file server that users connect to from their workstations to access files.
There are definitely benefits to this type of approach.
A single server can be backed up without having to back up every single computer.
The problem is:
Often, employees will download a file to their local machines for one reason or another.
When it comes to the California Consumer Privacy Act and the consumer wants their data removed, what happens?
The records and files on the file server or database are removed, right?
But that file on the users’ computer – no one knows it’s there.
So, to mitigate this problem, organizations will need to create policies and procedures around exactly how employees must handle protected information.
At the same time, Data Loss Prevention Systems may need to be put in place to enforce the rules.
5. Update your organization’s privacy policies
One very important task when preparing to comply with the California Consumer Privacy Act is updating (or creating) your organization’s privacy policies.
These policies tell your customers exactly what data you are collecting from them and the purpose in the collection.
Let’s look at some of the specific items you are required to include.
The Facebook privacy scandal a couple of years ago enlightened everyone to what is actually happening with their data.
Previously, most people didn’t care about the privacy policies for organizations who hold their data.
This is all changing.
First, you need to have a section describing the consumers’ rights.
These are the rights they have based on the California Consumer Privacy Act.
The right to access their data, the right to request their data be removed, etc.
What is collected
This should be all of the categories of personal information collected about the individual.
California Consumer Privacy Act text says this list should include any data collected for the previous 12 months.
How personal information is shared
Next, you must inform consumers how their personal information is shared.
This involves two methods of sharing – for business purposes, or by selling it.
You will need to have a separate list for each.
Also, if your organization doesn’t share or sell personal data, be sure to state so.
6. Prepare for meeting consumer opt-out and deletion requests
Let’s face it:
Everyone at your organization has a ton of work to do, right?
They’re not going to want to deal with manually reviewing CCPA information requests or requests to opt-out.
You need to set up systems to help you automate that process.
First of all, you have to create a way for consumers to request a copy of the data your organization collects and for them to request deletion.
There are numerous ways to do this, but you must be careful that you verify these requests.
Once they are verified, you must send them the requested data within a reasonable time.
One way that this can be done is via pre-built email templates.
Most email clients will allow you to create template emails so that you can insert the template, change the name and send it.
In fact, you can even set this up to be automatically done when the request is made.
Just make sure you have a way to document that the request was met.
Using a method like this to automate the task can save your team lots of time.
Note that if your organization collects different categories of data from different consumer groups, you may need to fine-tune this system.
The data maps that you have already created will be invaluable for this process.
7. Review contracts with third parties
Many organizations make contracts with their providers.
However, most organizations have no idea what is in the contracts they sign.
They simply sign them as part of the agreement and don’t think anything about it.
When it comes to security and privacy compliance, though, this approach will not work.
The contract your organization signs with your business partners outlines (or should) exactly how each organization will handle privacy and security.
The last thing you want is for a breach to happen and to suffer legal repercussions only to have a supplier shift all of the blame to you because of a contract.
Contract Review Process
Start by requesting a copy of existing contracts with business partners for any that you don’t already have.
If you’re dealing with large companies like Google, as an example, you have little choice.
They simply issue an agreement, and you agree or don’t use their services.
You’re typically safe with large organizations like Google as long as you complete your part of the agreement and implement best practices.
Once you have your contracts or agreements in front of you, go through them and identify items that affect compliance with the California Consumer Privacy Act.
List them out so you can see them very simply.
Then, if you need to request modifications to any parts, you can.
At the same time, you will clearly understand what each party is responsible for.
For example, you may request that your business partner add to the contract that they will notify your organization BEFORE they sell ANY consumer data you share with them.
8. Conduct audits of service providers with access to personal information
Have you noticed that there seem to be more and more cases where organizations are breached because of a third party?
If you haven’t, let me assure you:
They’re definitely on the rise.
That is why it is more important than ever that you are looking closely at your service providers to make sure they have good privacy and security practices.
In fact, the California Consumer Privacy Act mandates that organizations do this.
Let’s look at some actionable tips.
Under CCPA, you have to “audit” companies and partners that have access to the personal information of your customers.
Here’s an example to help you understand:
RetailX is an ecommerce store that sells men’s apparel.
Like all companies, they want to improve their sales; so they hire MarketingY, a marketing company.
MarketingY uses all of the data that RetailX collects about its customers to help them reach them better.
Since MarketingY will have access to the personal information of RetailX’s customers, RetailX needs to audit MarketingY’s privacy practices.
One of the best ways that we’ve found for auditing vendors and service providers is with questionnaires.
We use this approach all of the time with HIPAA compliant organizations.
Begin by sending the organization a heads-up email. Here’s a script that you can use.
To whom it may concern,
YOUR_COMPANY_NAME is dedicated to providing the best privacy and security standards that we can. Furthermore, in order to meet compliance regulations for the California Consumer Privacy Act of 2018, we have been making changes to our processes.
We want to make sure that the data of our customers is handled properly. This includes the data that is shared with our vendors and service providers. We are auditing all of our providers and ensuring that we are comfortable continuing our relationships with them, based on their privacy and security stance.
We would like to send a few questions to help us gauge how your organization is handling privacy and security as well as compliance with the California Consumer Privacy Act of 2018.
Until now, PERSONS_NAME has been our contact at VENDOR_COMPANY_NAME. Would you like us to send the questions to them? Or is there someone dedicated to such tasks that we should send it to?
Once you know who should receive the questions, you can send the form directly to them.
A few questions that we have found that help us quickly assess an organization’s privacy and security posture are:
Does your organization realize that it must be compliant with XXXX?? (Of course, only if they actually do)
When is the last time your organization had security and privacy awareness training?
Has your organization performed a security risk assessment? If so, which methodology or framework did you use?
Does your organization sell personal information?
Describe your companies policies and procedures around the privacy of consumer information.
What is your organization’s SLA for response time to consumer data collection disclosure requests?
Does your organization have a formal security program in place? If so, which model is it based on?
9. Review security controls and practices
Organizations should do their best to secure the data they collect from their consumers, right?
I would agree.
The California Consumer Privacy Act text seems to agree also.
It specifically imposes consequences for stolen personal information that is not encrypted.
We’ll talk about encryption in the next section, but let’s talk about security controls here.
Today, every organization needs to have a security program in place.
No matter how small they are.
There is something that every organization could lose or suffer from if they are compromised.
The photographer – what if all his pictures are deleted?
The restaurant – what is all of their recipes are stolen?
Do you see what I mean?
Not every organization will implement the same security controls.
Only what is appropriate for their organization.
In the California Consumer Privacy Act, when security is mentioned, it states that organizations should implement reasonable security practices.
Can you imagine trying to prove what’s “reasonable” in court?
To avoid that, here’s what I recommend:
Use a standard framework that is widely accepted and industry recognized.
The NIST Cybersecurity Framework is a great one.
It’s even followed by the government.
But it can be a little overwhelming for some organizations.
As a simpler alternative, you could start with the CIS 20 Controls by the Center for Internet Security.
In the cast of the CIS 20, start with the basic and foundational controls.
Create a timeline of when you plan to implement each control.
Then, begin working through them. (It’s understandable that this can take time – even months)
As you go, document what steps you complete and your findings.
Be sure to include steps you plan to take to remediate any weaknesses.
This documentation will be your proof – should it be needed – that you are following a security standard and are taking reasonable steps.
10. Implement data encryption policies
Under the California Consumer Privacy Act, consumers can bring action against organizations when their non-encrypted personal data is stolen or exfiltrated.
That’s a huge change from the status quo.
Almost daily, we see massive breaches of people’s information.
It’s time to change that.
So, what can you do to begin securing the personal information of your customers?
Without getting into too much technical detail, there are basically a few options when it comes to encryption.
There’s disk encryption that encrypts an entire hard drive.
Then there’s file and folder encryption that encrypts files and folders on a hard drive.
And there’s encryption of data in motion.
Each of these encryption technologies have their place, but for protecting personal information, some are probably more what your organization is looking for.
When a person encrypts a hard drive, that encryption is really only of any value when the computer is turned off.
Once the computer is booted, the data is decrypted.
If an attacker gains access to the computer while it is on, they can still see everything present.
So, what typically works better for the sake of protecting personal information is a mixture of folder/file/share encryption and encrypting data in motion.
A few practical tips:
Either use the default encryption mechanism of the file server you use (Bitlocker for Microsoft) or find a third-party solution that will work in your environment.
Use strong encryption keys.
Use WPA2 for WiFi communications.
Implement something like IPSec on your LAN. That way communications between all machines will be encrypted.
11. Train employees on the California Consumer Privacy Act
It is very important that organizations train their employees on handling personal data in compliance with data privacy regulations.
The California Consumer Privacy Act is only the beginning of a push for more privacy and is actually a best-practice that all organizations should be implementing.
So, let’s look at some steps for training up those employees.
Divide the members of your organization into categories based on the level of interaction they have or will have with personal information.
You’ll want to give employees appropriate training based on their role.
Someone who simply works in the company and may be tempted to download data to a USB drive wouldn’t need to know about fulfilling consumer data requests.
Here are the “buckets” I recommend dividing your employees into:
Data Handlers, Consumer Handlers, Management & Legal
You can do this however you want, but in my opinion, these categories delineate the roles pretty well.
Teach all groups the basics of the law.
No matter what their individual roles are, they all need to understand the overarching goals of CCPA.
These topics include:
- What is data privacy
- What is personal information
- Consumers’ rights to opt-out
- Consumers’ rights to request data being collected
- Proper data handling and disposal
Develop and provide more specific training for users in their individual “buckets.”
They should receive in-depth training on the parts of California Consumer Privacy Act that apply directly to their job roles.
Fines and penalties are stiff.
You can’t risk your employees causing detriment to your organization because they weren’t trained.
Be sure to include training on organizational policies and procedures as well.
When it comes to consumer data requests and deletion requests, it will make your teams jobs so much easier if company policies are followed and data is centralized
One of our favorite security and privacy awareness training solutions is KnowBe4.
While using encryption in your environment is a strong control to prevent breaches, it’s not the silver bullet.
There are still ways around it.
Training users on security principles is of utmost importance.
If you want to secure your organization, user training should be at the top of the list.
KnowBe4 is the tool to do it.
Now It’s Your Turn
Now I’d like to hear what you have to say:
Which strategy from today’s post are you ready to try first?
Have you figured out if you have to be compliant with the California Consumer Privacy Act?
Do you have another tip to add to the list?
Either way, let me know by leaving a comment below right now.