This guide distills the California Consumer Privacy Act (CCPA) into distinct phases to help a business achieve and then maintain compliance. The guide is designed for professionals across a wide range of functions who will be impacted by the CCPA.
Before building a program, TrustArc suggests that companies review with legal counsel all applicable privacy compliance regulations or frameworks with which your company will have to comply. Finding commonalities between the requirements and controls will allow a company to find overlap between the obligations, and then adjust for any differences, rather than having completely separate programs.
One example of a requirement that is new for CCPA is the “look back” period. Therefore, your budget should take into account supplying your team with the resources necessary to address the requirements around access, accounting of disclosures, and transparency requirements. For example, companies will have to identify any personal information previously collected by the business about the consumer for the past 12 months, so the process should ensure that business processes that collect personal information are recorded in a data inventory. A company will need to be able to identify the type of personal information being collected; there are 11 categories enumerated in the CCPA and the company would have to choose the one that most closely describes the personal information. The company will also need to know why it collected the personal information (the purpose); which categories of personal information were sold; and which categories were disclosed for a business purpose. Keeping up-to-date and detailed records will be key.
To learn more about CCPA requirements and how to leverage your existing privacy program, download your copy of the CCPA Essential Guide now.