How to prepare for the California Consumer Privacy Act

Oct 24, 2019Insights

What is the CCPA

The volume of personal information collected through digital technologies and big data are increasing significantly. Using these technologies can raise issues that violate consumer rights so regulations are emerging in order to reinforce data protection and give more rights to consumers. The California Consumer Privacy Law does just this and is applied in addition to existing laws, reinforcing transparency and consequences related to personal information

Collection of Personal Information

The collection of personal information is a key asset which raises major regulatory challenges.  The personal information collected can be of various types including health, identity, biometric, location and financial information.  This information is used for numerous purposes inside organizations from financial administration and marketing to internal controls, and operations. The ability to handled new personal information is an asset which helps business gain or maintain competitive advantages.  But the protection of personal information has to be strengthened and individual rights need to be reinforced.

Objectives of the CCPA

The protection of personal information and reinforcement of individual rights is at the core of the CCPA. CCPA is an expansion of the existing laws regarding data breach notifications and GDPR. The three pillars that all of these data protection laws establish are:

  • Limiting unauthorized disclosure, loss of personal information and the protection of individuals against the explosion of new technologies and associated data drift
  • Reinforcing the customer privacy and control individuals have of their personal information
  • Increased penalties to compensate consumer damages

The CCPA will go into effect on January 1, 2020. Organizations across sectors will be required to adapt their security polices and process to comply with the new standards.

The success of a CCPA compliance project rests on 6 key points:

  • Governance
    Identifying key roles to manage data privacy such as a Data Privacy Officer, a network of local reports, and governance committees
  • Data Identification
    A data identification program which enables the business to understand the key traits of the personal information collected (sources, purposes, flow, etc.)
  • Sustainability and Corporate Culture
    Establishing a corporate culture which supports the goal of data privacy including training, control, collaboration with risk and audit, and a PMO
  • Legal, Information and Transparency
    Legal reviews, client notifications, request management, reporting and disclosure statements
  • Data Security
    Data security measures that include both physical security and IT security programs
  • Policy, Processes and Documentation
    Each of the above must be supported by clear internal policies, processes and related documentation

With the CCPA, businesses must reinforce both their process transparency concerning data collection and the use of personal information and improving communication with customers. 

The guarantee of these rights will have a significant impact on businesses.  Ensuring these rights will require communication with customers.  New process must be implemented to allow data deletion, breach notifications, data request processing and other rights management activities. Finally, new capabilities must be developed to collect consent, manage the collected data and identify a customer’s data and data lineage across systems.

CCPA Scope

When the CCPA goes into effect in January 2020, it will apply to more than just California-based companies. It will impact businesses that collect or sell personal information from consumers in California, regardless of where the company itself is located.

In short: If you do business in CA, collect consumer data and have revenue greater than $25M it applies. Sia Partners can help you prepare. Applies to for-profit legal entities that “does business in the State of California” and collects or sells a consumer’s personal information, which also meets at least one of the following thresholds: 1. Annual gross revenues more than $25 million; 2. Buys or sells personal information of 50,000 or more consumers, households or devices; or 3. Derives 50% or more of its annual revenues from selling consumer’s personal information.

What CCPA Requires from Business

The impact of these newly defined customer rights and the concept of consent requires that business create new processes and the organizations to manage them. Business must manage the right to know, the right to access and the right to opt-out of the sale of personal information, the right for a person under the age of 16 to opt-in to the sale of their personal information and the right to equal services and price.

Businesses must put reinforced governance in place including data governance processes and a corporate structures that are capable of maintaining a data privacy system.  Different than GDPR, under the CCPA businesses are free to set up their own data governance. Additionally, subcontractors have increased responsibility and must develop data protections systems as well.

Some key points to improve customer communication around customer data rights include:

  • Disclosing certain information on their website and in their public statements, including the privacy policy, regarding the collection and sharing of personal information
  • Developing a button on the website to enable consumer to opt out of the sale of personal information
  • Informing consumers if the business collects a new data or uses data for new proposes

CCPA Compliance

Sia Partners has extensive GDPR experience and has implemented privacy frameworks at large EU-based business.  By leveraging its experience, knowledge and tool set, we are able to assist with CCPA programs in any capacity.

Sia Partners Approach

Sia Partners uses a three-part approach in the implementation of a compliance program. This approach is based on a clear understanding of the regulatory requirements, then identifies the current organizational gaps, outlines a roadmap for achieving the compliance goals and then deploys the CCPA compliance program within the organization.

Analysis & Training

Sia Partners takes a systematic approach to CCPA analysis and training. This approach has the goals of identifying applicable data privacy regulations, identify the specific audiences who require training inside the organization, designing information campaigns to raise awareness inside the business, and designing and executing a training program for key stakeholders to reduce data protection risks and support the roadmap implementation.

Gap Analysis & Roadmap

The CCPA gap analysis includes an in-depth investigation of the current business, the changes that need to be made, the goal end-state of the organization as related to CCPA compliance, and the development of a roadmap which will guide the business on the necessary journey. This process is outlined at a high-level below.

CCPA Program Deployment

Sia Partners brings a strong, proven project methodology to CCPA program deployment. This methodology ensures the quality of the solutions delivered leveraging the risks and requirements identified in the initial analysis phase. Following the roadmap, the program deployment project executes on the global action plan to establish governance, reporting, quality metrics, budgetary alignment and internal compliance programs.

Sia Partners Added Value

Experienced Teams

Sia Partners Consultants are trained for CCPA regulatory requirements and have deep experience in data protection programs.  We leverage internal legal expertise for the translation of regulatory requirements into operational processes. By partnering with legal counsel the consulting team is supported by expert knowledge in achieving program deliverables.

Methodological Kit

Through numerous previous engagements Sia Partners has developed a robust methodological toolkit.  These proven tools include

  • Data identification framework
    The gap analysis and required internal governance review are facilitated by leveraging this successful data identification framework,
  • CCPA compliance analysis
    This survey is customized a customized documentation tool to assess the current level of CCPA compliance of the business
  • Proven risk management methodologies
    These methodologies identify the most significant risks faced by the business and allow them to be directly addressed

Tools at Your Disposal

Additionally, Sia Partners has developed other internal resources which can be leveraged throughout the course of the compliance program implementation

  • Videos to raise awareness on data protection regulatory issues
  • Thematic sheets to help the teams understand the CCPA impacts
  • Templates to meet the key requirements of the Regulation (Notifications, Privacy by design, etc.)

Next Steps

To learn more about Sia Partners CCPA compliance programs, please visit our contact page. Our delivery team would be happy to answer any of your questions on project specifics and talk through your business’s concerns regarding CCPA compliance.