Get My Score

How to Get Ready For California’s Consumer Privacy Act (Part 2)


Actions to Take and Verifying Your Readiness

This is part 2 of a two-part series on CCPA readiness.  Read Part 1.  Find out whether the CCPA will impact your organization, what the requirements are if it does, and what action you should take to prepare for it. 

What action should you take?

The GDPR and now the CCPA seem to be part of a wider trend towards greater individual data privacy and so it would be wise to prepare for further legislation and reassess your strategy with regards to personal data collection.

Begin by fully mapping all the personal data you collect and make sure that you know precisely how it is collected, how it’s used, who it’s shared with, and where it’s stored. Interrogate the reasons behind your data collection. If there’s no clear business benefit, then you may want to reconsider collecting that data in the first place.

Put processes in place so that your systems can securely handle data requests in a timely manner. Remember that you’ll need to provide access to data, delete data when required, and share specific information on the sharing or sale of any personal information. Allowing opt-outs on the sale or sharing of data may also require tweaks to your existing systems and/or end-user agreements.

The law requires that the business provides consumers with two or more designated methods for submitting requests for information.  A minimum requirement is a toll-free telephone number and if the business has an Internet Web Site, a website address.  In addition, the business must update its online privacy policy, and/or any California-specific description of consumer’s privacy rights and these updates must be done at least once every 12 months.  The Business is required to provide a clear and conspicuous link on the Business’ Internet homepage titles “Do Not Sell My Personal Information” that allows the consumer, or a person authorized by the consumer to opt out of the sale of the consumer’s personal information for 12 months (Note: Business can require the consumer to opt out after every 12 months).  The law requires that the request be submitted through a password-protected account maintained by the consumer if the consumer maintains an account with the business or that the business allow information request through the business’ authentication of the consumer’s identity.

Businesses and their data service providers will be required to implement technical safeguards and business processes that prohibit reidentification of the consumer to whom the information may pertain.  This will be a major burden to organizations that do not already have these controls in place.

Verify your readiness

Along with redesigning your data handling rules and systems you should update all policies pertaining to data and be prepared to train any employees who might be responsible for data. It’s not enough to ensure compliance internally, you also need to reach out to third parties and partners to ensure they follow suit.

Expect to update your systems and applications to implement additional data controls and/or monitoring of data access.  Implement new technical safeguards and business processes to prohibit reidentification of the consumer who has opted out.

Greater transparency in how personal data is collected and used is a good thing for consumers, but it also presents security challenges, so make sure you factor that in. With new policies, systems, and training in place, it’s advisable to complete a full audit that encompasses internal and external systems. Test for different scenarios and ensure that you’re in compliance with the new rules well before they come into effect.

If the Business plans to continue maintaining consumer personal information, then it would be best to have all the data encrypted at rest with the ability to de-identity the data if requested.

Expect to move from a compliance validation framework to a continuous security monitoring approach to establish your CyberPosture that can be reported daily.




© 2019 Cavirin Systems, Inc. All rights reserved.