The California Consumer Privacy Act (CCPA) will be effective January 1, 2020, but the 12-month “look back” requirement means that companies will need records of personal information collected dating back 12 months before January 1, 2020, which is January 1, 2019.
While January 2020 seems far away, creating and maintaining data inventories and flows beginning January 2019 to meet the “look back” requirement will take time. With less than two months to go, companies should secure a budget, develop a process, and evaluate tools to help implement the process.
The budget should take into account supplying your team with the resources necessary to address the requirements around access, accounting of disclosures, and transparency requirements. For example, companies will have to identify any personal information previously collected by the business about the consumer, so the process should ensure that business processes that collect personal information are recorded in a data inventory. A company will need to be able to identify the type of personal information being collected; there are 11 categories enumerated in the CCPA and the company would have to choose the one that most closely describes the personal information. The company will also need to know why it collected the personal information (the purpose); which categories of personal information were sold; and which categories were disclosed for a business purpose. Keeping up-to-date and detailed records will be key.
Having a process in place will make it easier to maintain up-to-date records of how your company uses and shares data. The process should involve stakeholders across the organization because building business process flows and a comprehensive data inventory will involve multiple departments.
Using tools to automate parts of the process can save an immense amount of time. Using a centralized, secure tool with reporting capabilities can save teams from having to manually enter and find data in spreadsheets, which can be very time consuming.
TrustArc offers three different options to help companies meet CCPA requirements.
The TrustArc CCPA Readiness Assessment is meant to help companies that are just beginning the journey toward CCPA compliance. The assessment, managed by an expert TrustArc Consultant, and powered by the TrustArc Privacy Platform, includes a review against CCPA requirements, provides a detailed summary of gaps and remediation recommendations, and a prioritized, step-by-step implementation plan to achieve and maintain compliance.
For companies that have already developed a GDPR compliance program, the TrustArc GDPR to CCPA Readiness Assessment follows the same methodology as the CCPA Readiness Assessment, but helps companies to leverage existing processes and controls, while addressing the unique requirements of the CCPA.
The CCPA Implementation Package incorporates the TrustArc Platform to manage CCPA compliance requirements. The TrustArc Platform provides end-to-end privacy management through a series of integrated modules designed to address a wide range of privacy requirements, including CCPA, GDPR, HIPAA, and other global regulations.