If the CCPA applies to you (you can take the short assessment here to see if it applies to you), you can use the checklist below to quickly review or asses your basic CCPA compliance.
Firstly, let’s recap, what is the CCPA? The California Consumer Privacy Act (CCPA) is California’s newest privacy law aimed at enhancing consumer privacy rights for residents of California, United States. The CCPA puts in place new requirements for processing personally identifiable information and grants Californian consumers additional rights.
One of the most important actions when it comes to compliance is to honestly review your processes and systems.
Here are some questions to help with the assessment. You can tick the questions off as you answer them.
What categories of personal data do I collect and which categories of third-parties do I share this data with?
Which sources do I collect this information from and what are their categories (e.g. analytics)?
What are the reasons or purposes of my data collection?
Which CCPA consumer rights (if any) do not apply to my processing activities?
Which exceptions reasonably and honestly apply to my scenario?
Am I keeping track of all the service providers* that access consumers’ personal information on my behalf?
Can I reliably contact these parties to fulfil things like deletion requests?
Do I maintain reliable records of the information and the categories of personal information I collect for each consumer?
Do I have the documents (e.g privacy policy or terms and conditions) I need to make legally required disclosures available on my website?
*Service Providers are entities that collect personal information on behalf of the business and not for their own purposes – it’s similar to a Processor under the GDPR. Full definition and exceptions here https://www.oag.ca.gov/sites/all/files/agweb/pdfs/privacy/ccpa-proposed-regs.pdf (pg.14)
Keep internal records of the type of processing you do (including who your service providers are) so that you’re able to include relevant details in your privacy policy, and potentially at the point of data collection (e.g a contact form) if applicable.
Displaying CCPA related language, disclosures, and instructions in your privacy policy
Update privacy policy every 12 months
Have in place a way of retrieving information processed on specific consumers. One approach to this is simply being aware of what processes typically apply to particular user groups or transactions. From there you can compare against your internal privacy, sales, database or consent records to retrieve the relevant information.
Have the means of fulfilling access requests either through regular mail or electronically (such as email, file download, etc.) in a format that’s easy to use and that allows the information to be easily transmitted to another person or company without hindrance.
Display a CCPA notice of collection;
Display a “Do Not Sell My Personal Information” (DNSMPI) link that allows the consumer to opt-out
Actually facilitate the opt-out and stop the selling action for the particular consumer
Ensure that in cases where you are aware that the consumer is a minor under the age of 16 you do not sell their information unless explicitly authorized to do so by a parent or guardian (for minors under 13) or if explicitly authorized to do so by the minor consumer in cases where the minor is between the ages of 13-16.
Do Not Discriminate Against Consumers Exercising Their Rights.