CCPA Compliance actionable steps

Imagine getting ready for CCPA compliance by Jan 1, 2020. GDPR compliance took you a lot of time and money. Now, CCPA – California Consumer Privacy Act is going into effect on Jan 1, 2020. You do not have much time. You have several other priorities as well. What if you could follow a simple step-by-step process to get ready for CCPA in one week?

Or even better..

What if there are 17 steps for CCPA compliance?

… and each of these 17 steps are easy to follow and implement. Nearly all of these 17 steps cost you no additional money. You are probably eager to read and follow these steps.

This is exactly what I am going to share with you in this post. 17 practical and actionable steps that you could use for CCPA Compliance in One Week or Less.

…and once you are done, please share and comment how long it took you to get ready for CCPA compliance using these 17 actionable steps.


1. Does CCPA compliance apply to your business?

Look, there is a lot of blogs out there that outline the law. They detail out how CCPA applies to your business. For example, you are a business in California, and have a revenue or $25 Million or more, or have information about 50,000 California consumers. This is exhaustive.

Let’s make this as simple an easy button:

Are you a non-profit company?

If you answer is Yes, and if you parent company is also a non-profit company, then save time and skip reading this entire blog, and go watch Netflix.

Is your business in any way related to California?

If your answer is No, then what are you still doing here? Go and play a round of golf.

Let me explain my usage of the word related. It means your business is registered in California. Or, you have revenue from California consumers. Or, you pay any taxes in California. Or, you own any property in California.

Now, the next questions get a bit tricky….

Is your annual revenue in the next twelve months more than $25 Million?

If your answer to this is Yes, then skip this section and move to step 2. I simply ask you to start taking action. You will have one less urgent project this Christmas Holidays.

This question is tricky because it may not be California based revenue. Rule making from California AG could shed more light. But it is fair to assume $25 Million total revenue.

Based on your current projections if your annual revenues are likely to exceed $25 Million, then you must have CCPA compliance. My recommendation is to start taking action if your revenues are likely to exceed $20 Million.

Do you have more than 961 visitors on your website from California in the last 7 days?

This is easy to check.

  1. Login into your Google Analytics
  2. Navigate to Geo -> Location and Click on California
  3. Select last 7 days timeline for the report
  4. Check the number of users when you move your cursor to California
  5. Is this number more than 961?
does you need CCPA compliance?
Does your company need CCPA compliance. Determine that by number of users on Google Analytics

If you answer is Yes, then skip this section and move to step 2. Start taking action. You will spend your upcoming thanksgiving with your family and friends.

If you do not use Google Analytics, then check for this with your web marketing team.

Do you have more than 50,000 customers in California? Check your CRM.

If you have access to your CRM system such as Salesforce.com, then login to your Salesforce.com system. Create a report. For your query, include contacts, leads, last 12 months. Filter for California. Get a total count. If the count exceeds 50,000.

If the answer is Yes, then you know what to do. Skip this section and move to step 2. And, start taking action.

Or alternately check your email marketing system like MailChimp.

Do you market and send your newsletter or emails? Do you send emails to 50,000 email addresses that are likely located in California?

If the answer is Yes, then start taking action.

Are you are still reading this section?

Are you a software company dealing in data as the new oil? Boy-o-boy. We can send you a pdf version of this blog. Get a cup of coffee. Start taking action.

2. Deploy CCPA privacy request intake on your website

Privacy requests are new. Your business is required to provide this on your website. Either a web form, phone number, email address, or a mailing address. You could do a combination of one or two of these mechanisms. Check out our detailed blog on CCPA Privacy Request Management.

No business can estimate the number of requests. Plan for 5-10% of your users to send privacy requests. We stay optimistic and expect a much lower request intake in 2020.

Option 1: Create a web form similar to this and deploy it on your website.

Do you have a WordPress website? Simply deploy a forms plugin – WPForms or Ninja Forms.

Create a form for CCPA privacy intake and manage your requests using WordPress. Include basic email verification. Here is an example form:

CCPA Compliance Privacy Request Intake Form
CCPA Compliance Privacy Request Intake Form

Option 2: Sign up to App.InfoSecEnforcer.com

The app is easy to setup. It scales your workflow. InfoSecEnforcer provides 13 pre-built email templates. And, it is free to use.

Option 3: Sign up to OneTrust.com

One of the first vendors to provide DSAR (data subject access rights). OneTrust is focused on GDPR. Support for CCPA is being added recently.

CCPA Compliance: Privacy Requests Management
One Trust Provides a 14 day free trial. InfoSecEnforcer.com delivers a free app.

Option 4: Sign up to Wirewheel.io

WireWheel provides SRR (subject rights requests). Privacy requests are often called DSAR – Data Subject Access Rights, or SRR – Subject Rights Requests.

(C) WireWheel.io

Option 5: Review this blog and create your own privacy request management system

Enough said. Need more information on how to manage the intake of privacy requests? Check our blog.

Time to move to the next section.

3. CCPA Compliance needs categories of data you collect

CCPA (California Consumer Privacy Act) provides the requester a right to know categories of data you collect.

Reach out to your digital marketing team for any help. List all the categories of data you collect. Let’s get started.

Here is a sample list of categories that you could use:

  • Internet or network activities
  • Device specific information
  • Commercial information (ex: orders, history, credit card data, etc.)
  • Identifying information (ex: email, phone, etc.)
  • Health information
  • Biometric information
  • Fitness information
  • Professional or employment related information
  • Educational information
  • Geolocation information
  • Audio/Video information
  • Automotive information
  • Information users share
  • Information to process privacy requests

Now create your own list of categories. Next step is to create an email template that includes your list of personal information categories that your business collects.

Create an email template with categories of information collection

Here is a sample email template….

Subject:  Privacy Request – Categories of Information Collected 
Message:
Hi {Name},
We received a privacy request from you regarding the categories of personal information we collect. We collect the following categories of information:
- Internet or network activities
- Device type information
- Commercial information (ex: orders, history, credit card data, etc.)
- Identifying information (ex: email, phone number), and
- Information to process the privacy requests

Please do not reply to this email. If you need to send another privacy request, please visit this link.

Thank you!
{Company Signature}
CompanyABC Privacy Team
www.CompanyABC.com

You may have to create multiple email templates for each requester type. Each of these templates may differ on categories of information collected.

4. List reasons for collecting data by category

CCPA provides the requester a right to know why your business is collecting data. A few businesses collect data to sell as data brokers.

Get started. Let’s make it a simple one-time process. You may need help from your digital marketing team. Here is a simple list all the reasons for collecting data. Get started.

Please use this list to get started with your own list.

  • To Enforce Policies, Terms, and Conditions
  • To Track and Monitor Website Usage
  • To Analyze Website Visitor Behavior
  • To Improve Website Performance
  • To Improve Visitor Engagement
  • To Service Customers
  • To Provide Sales and Support
  • To Answer Questions or Address Requests
  • To Evaluate Suitable Candidates for Jobs
  • To Create User Accounts
  • To Communicate Marketing and Sales Promotions
  • To Communicate Company Policy Information
  • To Fill and Manage Sales Orders and Support Requests
  • To Write Testimonials
  • To Deliver Advertisements
  • To Get Customer Feedback
  • To Share Data With Data Brokers
  • To Aid in Research
  • To Aid in Behavioral Analysis
  • To Process Privacy Requests

Create an email template to communicate with the requester

Here is an example. You may have to create multiple email templates.

Subject: Privacy Request - Collection Purpose
Message:
Hi {Name},
We received a privacy request from you regarding the purpose of collecting personal information. Our purpose of collecting your personal information is as follows:
- To Communicate Marketing and Sales Promotions
- To Communicate Company Policy Information
- To Fill and Manage Sales Orders and Support Requests
- To Write Testimonials
- To Deliver Advertisements
- To Get Customer Feedback
- To Enforce Policies, Terms, and Conditions
- To Share Data with Data Brokers

Please do not reply to this email. If you need to send another privacy request, please visit this link.

Thank you!
{Company Signature}
CompanyABC Privacy Team
www.CompanyABC.com

5. List all sources of data collection

CCPA provides the requester a right to know sources of data you collect. Reach out to your digital marketing team and list all data sources. Let’s get started.

This is a sample list to get started.

  • Laptops and Desktops
  • Websites
  • Desktop Apps
  • Web Apps
  • Mobile Apps
  • Shopping Carts
  • Phone Calls
  • Fitness Devices
  • Mobile Devices
  • Video Streaming Devices
  • Medical Devices
  • Smart Speakers
  • Smart Toys
  • Security Cameras
  • Wifi Routers
  • Automotive Sensors
  • Smart Sensors & Scanners
  • Tablets
  • Data Services
  • 3rd Party Data Brokers
  • Social Media Platforms
  • Advertising Platforms

Create an email template

Use this example email template.

Subject: Privacy Request - Soruces of information collection
Message:
Hi {Name},
We received a privacy request from you regarding the sources of collecting personal information. Our sources of collecting your personal information are as follows:
- Laptops and desktops
- Websites
- Desktop apps
- Web Apps
- Shopping cart
- Phone calls

Please do not reply to this email. If you need to send another privacy request, please visit this link.

Thank you!
{Company Signature}
CompanyABC Privacy Team
www.CompanyABC.com

6. Scan your website and list all the cookies used

Do you have cookies on your website? Nearly all those cookies collect personal information. CCPA compliance requires you to know all your cookies. Why?

  1. Provide a detailed notice of data collection
  2. Service Opt-Out, privacy request
  3. Service Delete My Personal Information, privacy request
  4. Provide personal information stored in these cookies

Note: CCPA does not require you to create an opt-in for cookie tracker similar to GDPR. COPPA and opt-in apply for children.

With the cookie list, you can start an inventory to map the data. Use one of these free tools to know your cookie data stores. Discover all your cookies your website is generating. Scanners generate reports to identify and classify cookies discovered in this process. Next step click one of these tools and get a detailed report.

You may create your own cookie scanner using this open source project.

Read more about CCPA cookie consent management here.

7. List all Cloud and internal apps that store personal information

Data mapping is a secret ingredient to achieve CCPA compliance. CCPA compliance requires:

  1. Where you store data (personal information)
  2. How you process this data
  3. Who you share this data

Step 1 kicks off your data mapping process for the purpose of CCPA compliance. From the previous sections you have the list of cookies on your website. Use this table to document where your cookie data is stored. Nearly all cookies capture personal information.

Cookie Name Where Stored Name of Admin 3rd Party (Y/N)
Google Analytics Analytics.Google.com John Doe Y
Automattic Inc. WordPress.com Jane Doe Y
comScore Inc. ComScore.com John Doe Y
Fusio S4m.io Jane Doe Y

To get all these template and the entire blog as a word document CONTACT US.

Next up, list all cloud applications your business uses. The following table helps you document all your cloud applications.

Cloud App Name Name of Admin Personal Information?
Salesforce.com John Doe Y
WorkDay.com Jane Doe Y
Office365.com John Doe Y
DropBox.com Jane Doe Unsure
Slack.com John Doe Unsure

Your business has many internal applications. These maybe developed internally or 3rd party licensed software. These may be in your own data center or in your private cloud instance. The following table helps you document your internal applications.

Internal App Name Name of Admin Personal Information? 3rd Party?
Microsoft Exchange John Doe Y Y
Quicken Jane Doe Y Y
Kronos John Doe Y Y
WordPress Jane Doe Unsure N
InventoryMS John Doe Unsure N
CoupaSoftware John Doe Y Y

All done? Hooray!! For CCPA compliance listing the apps is yet another critical step, and that helps with data mapping.

  1. List all stores of personal information
  2. Data discovery
  3. Starting point to address privacy requests for data, delete data, etc.
  4. Review 3rd party vendor agreements (see below)

8. Review privacy clauses in your service provider or partner agreements

Why? CCPA holds you responsible for all the personal information you store. It does not matter where and which 3rd party touches your personal information. For CCPA compliance it is now necessary to enforce 3rd party CCPA compliance. Third party CCPA compliance implies answer to the following simple questions:

  1. List all stores of data we share with you
  2. How do you encrypt personal information or anonymize it?
  3. Do you have a process to detect and communicate data breaches?
  4. Do you have tools to identify, monitor, and delete personal information?

This may look like a lot of work with each 3rd party. Doing this will ensure protection from liability.

Can one single step solve this?

Yes. Execute an amendment to your current agreement with each of the 3rd parties. Include the following clause in such your amendment. (Please consult your attorney.)

Covenant to SafeGuard Digital Information and CCPA compliance.

(a)         Covenant. Company (3rd party vendor) and any affiliate of the Company each covenant to safeguard of Personal Information (as defined in CCPA California Consumer Privacy Act – AB 375), and to institute a procedure, practice, or technology that safeguards Digital Information, from any digital means (not limiting to personal, network, or cloud means) used by the Company, any subsidiary, any affiliate, or any employee of the Company.

(b)         Data breach or attempt to steal by a person(s) or machines or bot(s). This covenant shall include data breach prevention from any or all thefts or attempts to steal by a person(s), machine(s), bot(s), or a combination thereof.

(c)          Report data breaches, attempts. The Company shall provide a periodic report(s), no longer than each six (6) months of the data breach incident, or an attempt to steal any or all Digital Information. The incident report of a data breach or attempt to steal such Digital Information shall at the minimum, include data and time of the incident, the location of the incident, details of specific Digital Information involved in the incident, the person(s) or bot(s) responsible for the incident, among other information related to the incident. At the discretion of the Company, any data breach or attempt to steal highly confidential information shall be reported immediately.

(d)         Privacy APIs and CCPA Compliance. The Company shall institute a procedure, practice, or technology that addresses privacy requests. These include but not limited to access to all personal information (a minimum of two times a year), acknowledgement to delete specific personal information, acknowledgement to stop sale (or license) of specific personal information to other 3rd parties.

Execute this amendment with each of your 3rd parties for CCPA compliance.

9. Review privacy clauses in your customer agreements

Uh!! What? Why should we amend our agreements with our customers?

This is specifically important for software vendors or (digital) marketing companies. Your customers need to be ready for CCPA compliance. And they are seeking answers to these questions:

  1. Where do you store personal information?
  2. How do you encrypt personal information or anonymize it?
  3. Do you have a process to detect and communicate data breaches?
  4. Do you have APIs to identify, and delete personal information?

Be proactive.

How? Execute an amendment to your current agreement(s) with each of your customers. Include the following clause in such your amendment. (Please consult your attorney.)

Covenant to SafeGuard Digital Information and CCPA compliance.

(a)         Covenant. Company (“Your Company”) and any affiliate of the Company each covenant to safeguard of Personal Information (as defined in CCPA California Consumer Privacy Act – AB 375), and to institute a procedure, practice, or technology that safeguards Digital Information, from any digital means (not limiting to personal, network, or cloud means) used by the Company, any subsidiary, any affiliate, or any employee of the Company.

(b)         Data breach or attempt to steal by a person(s) or machines or bot(s). This covenant shall include data breach prevention from any or all thefts or attempts to steal by a person(s), machine(s), bot(s), or a combination thereof.

(c)          Report data breaches, attempts. The Company shall provide a periodic report(s), no longer than each six (6) months of the data breach incident, or an attempt to steal any or all Digital Information. The incident report of a data breach or attempt to steal such Digital Information shall at the minimum, include data and time of the incident, the location of the incident, details of specific Digital Information involved in the incident, the person(s) or bot(s) responsible for the incident, among other information related to the incident. At the discretion of the Company, any data breach or attempt to steal highly confidential information shall be reported immediately.

(d)         Privacy APIs and CCPA Compliance. The Company shall institute a procedure, practice, or technology that addresses privacy requests. These include but not limited to access to all personal information (a minimum of two times a year), acknowledgement to delete specific personal information, acknowledgement to stop sale (or license) of specific personal information to other 3rd parties.

Execute this amendment with each of your customers for CCPA compliance. You will have an enhanced strategic relationship with your customers. The following sections detail out steps your business needs to do to address these. The result is CCPA compliance and avoiding both civil suits and regulatory penalties.

10. Review the privacy policy on your website

Your website or mobile app privacy policy review for CCPA must include the following:

  1. Information collect on your website
  2. Information on cookies that collect information
  3. Usage of information collected on your website
  4. Category of 3rd parties used to collection information
  5. Do you share information collected with other 3rd parties?
  6. How you store, and safeguard the data

Of course, contact your attorney. Also, several web services generate privacy policies relevant to you. Please review these services:

  1. Termly
  2. Free Privacy Policy
  3. Terms Feed
  4. Privacy Policy Generator
  5. FirebaseApp Policy Generator
  6. Iubenda

While most of the above are for GDPR, you could modify these for CCPA. The key element in reviewing your privacy policies is to ensure that you have two versions of the privacy policy

  • Legal version, and
  • Simple version in plain English

All done? The next step is to send notices with your updated privacy policy.

11. Send notices to partners with the updated privacy policy

Why? We just amended agreements with partners to include – ‘Covenant to Safe Guard Digital Information and CCPA compliance’. What is this new privacy poloicy update notice? A notice should be sent in two forms:

  1. A letter
  2. An email

Create a notification letter, and use the same content in your email as well. Ensure consistency in both the notices. Provide URL links to both the simple version and the legal version.

Step 1: Get a list of addresses (both postal addresses and email addresses)

Step 2: Send out the postal letter typically address to the legal counsel or the President of the company

Step 3: Send out an email (use mail merge)

12. Send notices to customers with the updated privacy policy

Now that you sent out notices to all your partners it is time to repeat this process with your customers. It is likely that you have more than a few thousand customers.

For a large number of customers, it is indeed expensive to send letter notification. Each letter notification is likely to cost you anywhere in the range of $2.00 to $0.50. This could get expensive fairly quickly.

We recommend that you start only with email notification for customers. Please have a way to track number of opens. Send weekly notifications only to those who have not opened the email. Repeat these weekly notification till you reach atleast 30-50% opens. This would likely take about 10-15 weeks. Ensure that you keep a record of this process.

13. Vendor risk assessment

Let’s review step 8 above. In step 8, you created CCPA compliance amendment for execution by each vendor. It is likely that you are able to get 80% of your vendors to sign this amendment. However, this is not enough. There is still a risk of penalties or class-action law suits. It is an operational risk.

The vendor has likely executed the amendment. Is there a way to check their CCPA compliance? This is the tough part. So, you need vendor risk assessment. There are two areas of vendor risk assessment for CCPA.

Area 1: Vendor security risk assessment. How vulnerable is the vendor for data breaches? Making this assessment on a vendor is a difficult operational problem.

Area 2: Vendor privacy request compliance assessment. How well does the vendor comply with the request for personal information? How well does the vendor comply with the request for deletion of data? How well does the vendor comply with the request to not sell personal information?

Several companies offer services to make a 3rd party vendor security assessment for GDPR compliance. The market is still evolving. The following resources provide vendor risk assessment for GDPR compliance. This could be easily extended to CCPA compliance.

  1. ProcessUnity
  2. OneTrust
  3. WireWheel
  4. SecurityScoreCard
  5. IAPP.org

This step is unlikely to be fully automated. Get started and you could make improvements over time.

14. Privacy APIs to access data for Privacy Requests

What are privacy APIs? Privacy APIs is an API framework to address privacy requests. Privacy APIs are new. They are often untested. Three types of privacy requests require privacy APIs. These requests require personal information of the requester:

  1. Request to access all my personal (requester’s) information
  2. Request to delete all my personal (requester’s) information
  3. Request to not sell my personal (requester’s) information

Privacy APIs enable easy and automated access to data in cloud applications. This framework could easily be extended to your business’ own data. (For more information on how to get started with Privacy APIs, please contact us.)

Now you got through 14 steps. It is time to address security

Security is not equal to privacy; and privacy or CCPA compliance does not equal security. Security is one part of privacy.

One key area of CCPA compliance is preventing data breaches. CCPA or AB 375 states

“Any consumer whose nonencrypted or nonredacted personal information … is subject to unauthorized access, theft, or disclosure … result of the business’ violation of the duty to implement and maintain adequate and reasonable security procedures and practices … may institute a civil action…. recover damages in an amount not less than one hundred dollars ($100) and not greater than seven hundred and fifty ($750) per consumer per incident or actual damages, whichever is greater…” There are several security procedures and practices. DLP, data loss prevention, is a key tool. Data Loss Prevention includes end point protection and network protection.

California Consumer Privacy Act – AB 375

15. Prevent data breaches from your endpoints

Why do you need endpoint Data Loss Prevention ? As part of CCPA compliance, you need to maintain adequate security to prevent loss or theft of personal information. End points – desktops, laptops, and mobile devices, are vulnerable for data theft or exfiltration. End point DLP provides reasonable security to prevent such data breach.

Do you deploy anti-virus protection on all your end points? End point Data Loss Prevention is similar in deployment. Here is a sample list of vendors that provide end point DLP.

Contact us to deploy end point DLP for CCPA compliance.

16. Prevent data breaches from within your network

Have you secured the endpoints? Awesome. It is time to pay attention to rest of your network. Your business needs the ability to proxy, classify, and prevent any unauthorized exfiltration. Benefits of network Data Loss Prevention include:

  • Control traffic on email, HTTP(S), (s)FTP, webmail, web apps, and more
  • Control clear as well as SSL based applications
  • Enforce policies
  • Reduce false positive
  • Prevent insider threats as well as threats from bots
  • Provide forensics where required

Here is a small list of network Data Loss Prevention solutions:

  1. InfoSecEnforcer
  2. Symantec
  3. Digital Guardian
  4. Force Point
  5. McAfee

Deploying one of these above solutions implies CCPA compliance. You will also have the ability to fend off any civil suits resulting from potential data breaches.

17. Office 365 DLP to prevents breaches from O365

Office 365 is one of the most widely used applications. Deploying end point DLP and network DLP is not sufficient to prevent exfiltration from Office 365.

Why? Because, Office 365 is a cloud application and can be accessed using uncontrolled end points. @ $2 per user per month, this is an easy deployment and can be completed in less than a week. Depending on your budget you may just deploy Office 365 DLP and phase in end point DLP and network DLP.

Read more about Office 365 DLP here.

7 replies
  1. telefon kapak
    telefon kapak says:

    This shall be very helpful in case you depart your phone. More importantly, these updates fix some bugs and patches up security points that may affect the cellphone.

    Reply
  2. www.nacdd1305.org
    www.nacdd1305.org says:

    Hi, Neat post. There is a problem with your website
    in internet explorer, might check this? IE still is the market leader and a good component of folks will
    pass over your fantastic writing because
    of this problem.

    Reply
  3. U
    U says:

    Nice post. I was checking continuously this blog and I am impressed! Extremely helpful info particularly the last part 🙂 I care for such info a lot. I was looking for this info for a very long time. Thank you and best of luck.

    Reply

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *