The CCPA Compliance Checklist

After the launch of GDPR, many companies are being confronted with a new legislation, the CCPA. For those of you that are preparing, here's a checklist that will assist you.

What is the CCPA

"The California Consumer Privacy Act (CCPA) is a California state law that enhances privacy rights and consumer protections for California residents. It regulates what businesses are allowed to do with the personal information they collect from California residents.

The CCPA aims to put data rights back into the hands of consumers. Consumer will now be able to understand how their data is actually being used. They will now have a saying in how and with which third parties their data can be shared. The CCPA is aimed at enforcing protection and privacy of personal and customer data.

When does CCPA become active?

The California Consumer Privacy Act officially goes into effect on Jan. 1, 2020.

With its strict guidelines and penalties, the CCPA is considered revolutionary legislation on data protection in the US. As with the European Union’s General Data Protection Regulations (GDPR) and the launch date approaching fast, we believe that for most companies, achieving compliance is probably going to take longer than expected.

Who does the CCPA protect?

The CCPA is designed to protect any individual who is a California resident, a household or a device that can be reasonably identified, by any unique identifier.

It's designed to protect California consumers’ data, and to enforce all organisations that deal with California resident data to take their responsibility to safeguard consumer data seriously.

Who does the CCPA apply to?

Just like with the GDPR, one should not underestimate the global impact of the CCPA. Any organisation globally that collects personal data of California residents and households should validate whether they are required to comply with the CCPA.

Any organisation that meets one of the following three criteria annually:

  • Earn revenues greater than $25 million.
  • Buy, receive, sell or share the personal information of 50,000 or more consumers, households or devices for commercial purposes.
  • Derive 50 percent of annual revenues from selling consumers’ personal information.
What are the key differences between the CCPA and the GDPR?

Any business that has already complied with the GDPR standards should be able to extend its policies and practices fairly easily to fit the CCPA’s requirements. At the same time, one should not underestimate the important differences between both legislations.

The European legislation could be considered more rigorous overall, even though the CCPA takes a broader view of personal information than the GDPR. For offenders, there is also a significant difference in the fines structure.

Here are the most important differences between the CCPA and GDPR:

  • The GDPR set a penalty limit of 4% of global annual revenues, while the CCPA does not have a ceiling on regulator penalties.
  • Any intentional violation of the CCPA will result in a civil penalty of $ 7,500 per incident.
  • The CCPA has pre-defined minimum ($100) and maximum ($750) damage amounts per consumer per incident for private actions against violators, while the GDPR prescribes neither floor nor ceiling values.
  • The CCPA applies to businesses only, while the GDPR covers any entity that processes personal data of EU residents.
  • The CCPA has a broader definition of personal information than GDPR.
  • Both legislations have different conditions for access and deletion requests of personal data.
  • The CCPA does not expressly include the right to correct errors in processed personal data.
  • The GDPR allows covered entities to establish equivalent mechanisms, while the CCPA prescribes disclosures, communication channels, and other measures.
  • The CCPA does not expressly include the right to stop automated decision making (i.e., the right to require a human to make decisions that have legal implications/effect).

Select who you are:

  • Company: I process personal data

  • Consumer: My personal data is being collected

The list below is far from a legal exhaustive document, it's merely meant as a guideline to help you go through the process.

Feel free to contribute directly on GitHub!

Are you impacted?

  • My company is for-profit, conducts business in California, collects personal data of California residents and determines the purposes and means of processing consumers' personal information.

    • Company
  • My company has annual gross revenues in excess of $25 million OR possesses the personal information of 50,000 or more consumers, households & devices OR earns more than half of its annual revenue from selling consumers' personal information.

    • Company

Exceptions

  • My company processes medical information collected by a covered entity governed by the Health Insurance Portability and Accountability Act (HIPAA) or California Confidentiality of Medical Information Act (CMIA), entities subject to HIPAA or CMIA or information collected as part of a clinical trial.

    • Company
  • My company processes personal information collected, processed, sold, or disclosed pursuant to the Gramm-Leach-Bliley Act or California Financial Privacy Information Act.

    • Company
  • My company processes information collected, processed, sold, or disclosed pursuant to the Driver’s Privacy Protection Act of 1994.

    • Company
  • My company takes part in a sale of personal information to or from a consumer reporting agency to be reported in or used to generate a consumer report.

    • Company
  • My company takes part in efforts to comply with federal, state, or local law; a civil, criminal, or regulatory investigation; or a subpoena or summons that are contrary to the CCPA regulation.

    • Company
  • My company cooperates with law enforcement agencies or exercises/defends legal claims that are contrary to the CCPA regulation.

    • Company

Types of data

  • My company processes data such as name, address, personal identifier, IP address, email address, account name, Social Security number, driver’s license number, and passport number.

    • Company
  • My company processes personal information under California’s Records Destruction Law (Cal. Civ. Code § 1798.80(e)), which additionally includes the signature, physical characteristics or description, telephone number, insurance policy number, education, employment, employment history, or financial account information.

    • Company
  • My company processes characteristics of protected classifications under California or federal law.

    • Company
  • My company processes commercial information, including records of personal property, products or services purchased, obtained or considered, or other purchasing or consuming histories or tendencies.

    • Company
  • My company processes biometric information.

    • Company
  • My company processes internet or other electronic network activity, such as browsing history, search history, and information regarding a consumer’s interaction with a website, application, or advertisement.

    • Company
  • My company processes geolocation data.

    • Company
  • My company processes audio, electronic, visual, thermal, olfactory, or similar information.

    • Company
  • My company processes professional or employment-related information.

    • Company
  • My company processes education information that is not publicly available personally identifiable information, as defined in the Family Educational Rights and Privacy Act (20 USC § 1232(g), 34 CFR Part 99).

    • Company
  • My company inferences drawn from any of the information listed above to create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.

    • Company

Internal processes

  • When requested, your company has to inform the consumer what categories and which specific pieces of personal information you have collected about them.

    • Company
  • Your company has to verify the identity of consumers who request to access or delete their personal information.

    • Company
  • Your company has to inform the consumer before the point of collection about the categories of personal information you collect and the purposes for which the categories of personal information shall be used.

    • Company
  • Your company has to deliver information to consumers free of charge within 45 days, by mail or electronically.

    • Company
  • The information your company has to deliver is portable, to the extent technically feasible, in a readily useable format that allows consumers to transmit this information to another entity “without hindrance”.

    • Company
  • your company has to delete personal information when consumers request it.

    • Company
  • Your company has to create a process and to identify individuals responsible for consumers to opt-out and therefore not selling their data to third parties in response to such a request.

    • Company
  • By default, your company should not sell consumers' personal information when they are between 13 & 16 years of age. Nevertheless, your company has to create a process to allow them to opt-in.

    • Company
  • Your company has to provide consumers the right to equal services and prices.

    • Company
  • Your company has to make available two or more designated methods for the consumer to request their information, including, at a minimum, a toll-free telephone number and website address (if the business maintains a website).

    • Company
  • Your company has to train and inform dedicated personnel to properly process new requests to exercise privacy rights.

    • Company

External communication

  • Your company has to disclose the consumer’s rights to request the deletion of their personal information.

    • Company
  • In case your company sells consumers' personal information you have to inform your customers that their information may be sold and that they have the “right to opt-out” of the sale of their personal information.

    • Company
  • In case your company offers financial incentives for the collection, the sale, or the deletion of personal information, you need to disclose those financial incentives to your consumers.

    • Company
  • Your homepage website has to include a link to inform consumers that they have the right to opt-out of their personal information sale.

    • Company
  • Your company has to disclose in its online privacy policy a description of consumer's rights and the categories of consumer's personal information collected and/or sold in the preceding 12 months.

    • Company

Recommendations

  • Your company has to ensure that agreements with service providers are CCPA compliant.

    • Company
  • Your company has to create and maintain a robust incident response plan.

    • Company
  • Your company has to maintain records of requests and how you responded for 24 months in order to demonstrate your compliance.

    • Company

Amendments

  • In case you are a Data Broker company, you need to register annually with the Attorney General and provide information about how consumers may opt out of the sale of their personal information

    • Company

Consumer Rights

  • Right to access: When you request it, the company has to inform you what categories and which specific pieces of personal information they have collected about you.

    • Consumer
  • Right to notice: The company has to inform you before the point of collection about the categories of personal information they collect and the purposes for which the categories of personal information shall be used.

    • Consumer
  • Right to be forgotten: The company has to delete your data when you request it.

    • Consumer
  • Right to opt-out: The company has to make sure you can opt-out from them selling your personal data to third parties when you request it.

    • Consumer
  • Right to opt-in: By default, the company should not sell your personal information when you are between 13 & 16 years of age. Nevertheless, the company needs to create a process to allow you to opt-in if you would like to.

    • Consumer
  • Right to equal services and prices: The company has to provide you the right to equal services and prices.

    • Consumer
Disclaimer

The information above is not the same as legal advice, where an attorney applies the law to your specific circumstances, so we insist that you consult an attorney if you’d like advice on your interpretation of this information or its accuracy. In a nutshell, you may not rely on this as legal advice, nor as a recommendation of any particular legal understanding.