The California Consumer Privacy Act (CCPA) is without question landmark legislation enacted to give consumers greatly enhanced privacy rights and protection clauses within the state of California. As an organization, if you’re doing business in the state of California that meets one or more of the following criteria, then it’s time to get serious about CCPA compliance:
- Has annual gross revenue of more than $25 million;
- Buys, receives, sells, or shares the personal information of 50,000 or more consumers, households or devices, per year; or
- Derives at least 50 percent of its annual revenues from selling consumers’ personal information.
Then, on November 3, 2020, California voters approved a ballot initiative, enacting the California Privacy Rights Act (CPRA), effectively amending the CCPA to create the most sweeping consumer data protection law in the United States.
Five-Step Process for CCPA & CPRA Gap Assessments
Need to become CCPA CPRA compliant? Here’s a proven, five-step process that works well for any business:
- Defining Scoping Considerations.
- Assessing Data Privacy Requirements & Gaps.
- Assessing Information Security Requirements & Gaps.
- Assessing Documentation Requirements & Gaps.
- Remediation Activities.
(1). Defining Scoping Considerations:
Combined, the initial CCPA legislation and the newly mandated CPRA requirements are creating huge challenges for businesses having to comply with California’s sweeping data privacy measures. Therefore, it’s essential to assess and validate the following critical scoping issue when beginning a CCPA & CPRA assessment:
- What types of categories of personal data (per CCPA 1798.140) is deemed in scope for CCPA & CPRA?
- How is personal data being collected, used, shared & disclosed, stored, protected, retained, and disposed of?
- What third-parties are also considered in scope for the CCPA & CPRA, why, and do they have proper controls in place?
(2). Assessing Data Privacy Requirements & Gaps:
The operational aspects of CCPA & CPRA compliance are far-reaching indeed as businesses need to ensure that various H.R., legal, privacy, and other prescriptive requirements are met for compliance with regards to the CCPA codes of 1798.100 to 1798.199.100.
(3). Assessing Information Security Requirements & Gaps:
Per code 1798.100, “…A business that collects a consumer’s personal information shall implement reasonable security procedures and practices. You’ll need to do a deep dive in identifying what “…reasonable security procedures and practices…” are in place, what gaps exist, and next steps necessary for correcting security control deficiencies in terms of technical controls and policies and procedures.
(4). Assessing Documentation Requirements & Gaps:
Policies and procedures are a heavy mandate for the CCPA & CPRA, much like many of today’s regulations. As a business, it’s critical to identify policy and procedure gaps, along with performing all essential remediation activities for developing all required information security, cybersecurity, operational, and human resources documentation as required within the stated CCPA and CPRA codes.
(5). Remediation Activities:
Almost any organization undertaking a CCPA & CPRA gap assessment will have found areas requiring remediation as the scope and reach of both the California Consumer Privacy Act and the California Privacy Rights Act can be massive. Many times, remediation comes down to developing well-written policies and procedures relating to data privacy.