CCPA Certification and Compliance

To comply with California Consumer Privacy Act (CCPA), you need to map your consumer data, update the privacy policies and notices of your website so fall in line with CCPA’s requirements, setup a smooth and error-free process for handling customer requests, provide data privacy training to your employees, and strengthen your data security system to prevent data breaches. If you already have GDPR compliance, you should be able to get CCPA compliance certification easily because you have already done most of the work. This article will teach you what CCPA certification is and how to get CCPA compliance.

The difference between CCPA and GDPR.

What is CCPA certification?

The California Consumer Privacy Act is a data privacy law that lets California consumers control the way their personal data is collected, stored, and shared with third parties. Businesses all over the world have to adhere to this law if they want to deal with California residents, provided they meet any of the following criteria:

  • They have gross annual revenue of $25 million or more.
  • They collect, buy, or sell personal data of 50,000 or more California residents, households, and devices.
  • They generate at least 50% of their annual revenue by selling the personal information of California residents.

CCPA applies to all for-profit businesses, even if not located in the USA. It gives consumers the right to see the data collected about them, delete the data, or ask companies to stop selling/sharing their data with third parties. The data could be any information linked to a specific individual or household, including geographical location, search history, shopping history, Social Security number, email, phone number, address, biometric data, etc.

Failure to comply with CCPA could invite a penalty of $2,500 in case of unintentional failure (primarily due to data breaches) and $7,500 in case of intentional failure.

How to get CCPA certification?

Step 1 – Map your data

This is the most labor-intensive task, but it can save a lot of time and effort when done right from the beginning. The personal information you collect can be segregated into two types; data for internal use and data that is shared with third parties.

Important information – CCPA states that consumers are not just buyers or prospects. They can be any California resident whose personal data is being collected. It could be the information of job applicants, employees, newsletter subscribers, or website visitors. Plus, every device used is counted as a single entity. So, the limit of 50,000 doesn’t just include people; it also includes devices and households.

Categorize your consumers first and then collect/keep the personal information that you may need. For example; for email subscriptions, you only need an email address; for online purchases, you would need to collect a person’s shopping history, geographical location, brand/budget/color/quality preferences, etc.

Once you have categorized the data, decide what information you want to share/sell and what you want to keep with you. When the data is mapped thoroughly, it will be easier to process the deletion requests and opt-out requests.

Step 2 – Update your privacy policies

This is a straightforward process. It requires you to update your existing privacy policy to make it CCPA-compliant. The easiest way to do this is to add a CCPA addendum. In the addendum, clearly disclose the rights that your consumers have and how they can exercise those rights, which are the right to know, the right to delete, the right to opt-out, and the right to non-discrimination. Clearly mention why you are collecting their personal information and what you want to do with it. Include a link to your privacy policy at every point where you collect the data.

Step 3 – Figure out how you are going to process consumer requests

Once you have updated your privacy policy, you should be ready to process requests as and when they are submitted. So, developing a streamlined process and protocols that your employees can follow is essential to attend to the requests quickly and correctly. They must know how the data is segregated and which ones they need to dispose of when they receive a request. They must know the protocols they must follow to do it right. There should be scope for guesswork because it is about people’s personal data.

Step 4 – Provide data privacy training to your employees

CCPA mandates that businesses regularly train their staff about data privacy, its importance, CCPA, the importance of complying with it, and how they can contribute. Both seasoned and new employees should be trained, even if they are not in a customer-facing role or have anything to do with data protection. Every person in your company should be aware of CCPA so that they can remain vigilant. You can use any mode to train your people, including classroom training, virtual training, providing course materials, etc.

Step 5 – Strengthen your data security system

Along with paying a penalty for non-compliance, CCPA also gives consumers the right to ask for compensation for leaking their personal information (intentional or unintentional). The compensation could be up to $750 per consumer per incident. As evident, unintentional data leaks happen due to data breaches. Businesses must strengthen their data security system by implementing ISO 27001 standard.

Wrap up

CCPA compliance is not a one-time process. You must review the privacy policies and streamline the processes as and when needed. You need to conduct at least an annual maintenance. If you don’t have the necessary manpower to do this, you can seek professional help.

California Consumer Privacy Act (CCPA) Data Privacy Course – via UDEMY

This course is easy to understand and provides a comprehensive overview of the California Consumer Privacy Act.