The California Consumer Privacy Act (CCPA), the most far-reaching privacy regulation in the US to date goes into effect on January 1, 2020.
Preparing for the CCPA is important and you can take some steps now.
Step 1 – Organisational Privacy Framework
Your organisational privacy framework comprises policies and procedures for dealing with privacy issues; governance structure which ensures the appropriate people are accountable for determining effective policies, procedures; the tools and technology used to manage privacy risk; and the training to make sure the staff adheres to the policies and follows the procedures.
Even though the CCPA, unlike the GDPR, has no requirement obligation to demonstrate accountability, it’s a useful principle to bear in mind. Accountability helps make sure policies and procedures are sufficient and enforced. In particular, it is wise to have policies for dealing with employee data; dealing with consumer data rights requests, and what to do if a data breach occurs. The CCPA allows 30 days after a breach to ‘cure’ the violation, and that’s why data watermarking - putting a watermark into the data itself from which the origin can be extracted - can be a key tool in your toolbox. It helps organisations identify where a breach came from, enabling quick resolution of the issue.
The CCPA is the first law of its kind in the US, but unlikely the last. To get ahead of the coming legislation, in the US and abroad, it is worth thinking about your legal requirements across all jurisdictions you operate in. Even if you’ve done so fairly recently it’s advisable to revisit have a fresh review as many countries have passed data protection or other privacy related laws in the last few years.
Step 2 – Data Audit
Carrying out a data audit or data mapping means more than just checking what datasets you have. It also means finding out what you’re doing with your data and who’s doing it. Are datasets processed for you by suppliers or partners? What systems are you using and what capabilities do the systems have? In the context of the CCPA, knowing who else processes your data is important if you get any kind of benefit on the basis of them accessing your data there may be implications.
Step 3 – Minimize, delete, de-identify, pseudonymize, and encrypt what you can
The lowest risk data is that which has been deleted. If you find you’re processing personal information that you don’t need, delete it. The CCPA mentions de-identified data - data which is not reasonably capable of being associated with an individual which is out of the scope of the law. When possible, delete what you don’t need, de-identify or pseudonymize what you can. Under the CCPA there is a private right of action if certain special categories of data, such as Social Security number, driver’s license number, and medical information are breached. Make sure that these special categories are pseudonymized or encrypted wherever possible to minimise the risk of a class action.
Step 4 – Functional capabilities
Look at how you will comply with CCPA rights. The CCPA requires you to notify consumers about what you’re doing, but it also requires you to allow them to opt out, delete, and access their data. Some systems aren’t designed to deliver these kind of discrete data actions at the individual consumer level, so make sure you know what your systems can and can’t do, and have a plan for those systems which don’t yet have that functionality.
NOTE: Privitar participated in a webinar last week focusing on CCPA.
Guy Cohen, Strategy and Policy Lead, Privitar