4 Steps to Prepare for The California Consumer Privacy Act (CCPA)

June 27, 2019

The world as we know it continues to grow and change. In 2019, experts predict that the population of California will grow to over 40 million residents. This is an incredibly large percentage of Americans, and as such there are new laws and regulations going into effect that will impact both brands and consumers in California and beyond. The California Consumer Privacy Act (CCPA) is one of these regulations that will have lasting consequences, especially on brands that work in or with consumers based in California.

Understanding CCPA

The CCPA was first drafted in 2018 to set strict data management guidelines for brands doing business in California or with California residents, which includes some of the largest brands in the world. It protects the personal information of California residents by requiring any brand that is collecting consumer information to disclose the categories and/or types of information that they are collecting. CCPA covers all information companies are collecting about consumers, not just that which has been collected electronically.

The CCPA also gives consumers the power to:

  • Request disclosure of third parties that have access to their personal information
  • Ask that any personal information be deleted at any time
  • Opt out from allowing corporations to sell their data to third parties
  • Request disclosure from businesses about any personal information they’ve collected

How to prepare for the CCPA

In order to remain fully compliant with the CCPA regulations and to prepare for any other state-level acts that may pass in the future, InfoSec teams should take proactive steps to prepare their businesses, processes, and workflows to be able to deliver the correct information to consumers.

1. Set up an internal team: Accurately preparing for CCPA can be a full-time exercise in organization and data management. Setting up a dedicated internal team with a project leader, assigning resources for each stage of the project, and knowing who is responsible for what is a good place to start. This will ensure your compliance work is clear, organized, and accurate from the beginning.

2. Self-assess your process against GDPR regulations: While CCPA is restrictive, it’s not the first regulation out there to put tighter controls on consumer data — that honor goes to GDPR. Because your team (hopefully) already has compliance processes in place for GDPR, comparing your current workflows with the required CCPA processes can be a great starting point. Here are a few differences to get you started:

  • Definition of personal data: The CCPA has a broader definition of personal data, encompassing data about electronic devices and entire households on top of PII.
  • 4th party management and subcontractors: A part of GDPR that is not specifically called out in CCPA, although there are strong hints that future revisions of the act will include 4th party management regulations.
  • Rights To: While GDPR has nine Rights To, CCPA only focuses on four — Rights To Disclosure, Rights To Deletion, Rights To Opt Out, and Rights To Non-Discrimination.

3. Inventory your data: The foundation of CCPA is rooted in consumers being able to access and know what kinds of personal information is being collected and shared. In order to provide this information to consumers, companies must have a clear and organized inventory of data. One way to jumpstart this process is with a security audit. This will help your team identify areas to focus on while painting a clearer picture of how data is currently being stored and organized.

4. Automate and optimize your workflows: As with any project, once you have a strong strategy in place you can begin to optimize and automate things to scale. Once you’re aligned on your project goals and have an adequate data inventory, it’s time to repeat this process for all of your third-party partners and vendors. This will ensure that you’re covered and compliant with the new CCPA regulations.

Assessing the long-term impact of CCPA

While CCPA has been announced and is widely accepted as a security regulation, it’s final publication is not expected until January 2020. Additionally, the California Attorney General’s office will not be able to enforce the regulation until six months after publication, so companies have until June 2020 to complete their preparations and become compliant.

As far as fines are concerned, the CCPA will cap at $7,500 per violation. This maximum penalty is reserved only for intentional violations — any violation lacking intent will be subject to the current fine, which is $2,500. Although the fines for CCPA might not reach GDPR levels, this doesn’t mean data security teams can brush it under the rug. There are around 15 other states that are on record as currently looking to mandate privacy and data collection. This means brands need to have a strong strategy in place now before the demand becomes overwhelming and unmanageable. With a solution like Whistic helping to manage these workflows and automate the security assessment process, businesses can ensure 100% compliance.

information security cybersecurity privacy ccpa california

About the author


The latest insights and updates on information security and third party risk management.

Hate security reviews?
Want FREE AirPods?*

Offer valid for any decision-maker/influencer in relation to your company’s third-party risk management strategy. Company size must exceed 100 employees. Exclusions apply. Limit 1 pair per company.