CCPA vs GDPR. It’s different but similar.
There are certain principles on which GDPR is based, and those overlap with the intentions of CCPA as well. Still, both are different. You may be in compliance with GDPR, and still require steps to take for being CCPA compliant. Personal information has different definitions in CCPA, versus GDPR. The tactics (and the reasons) of verification, are different for CCPA versus GDPR. For example, Double Opt-In is a strong way to demonstrate GDPR compliance, but we're not sure if the same shall cover CCPA for all scenarios.
To explore and find areas which can speed up CCPA compliance, I had a discussion with my colleague, Saurabh Tyagi to share his perspective and summarize the key items below (though CCPA in itself, is much larger)
Areas CCPA revolves around
There's still time before we see a CCPA requirements checklist, however CCPA primarily revolves around rights to know, delete, opt-out (from selling information) and non-discrimination. We try to list a few steps below which can help to prepare for being CCPA compliant.
Access to Consumers to know their data
If you have defined how you collect information, how you use it, share or sell it, you should be good. There are certain time-frames required to be respected for requests regarding right to know and delete.
Besides, the information needs to be granular - e.g. if you say that you collected “Geographical Information” via a Form Fill - the fields you collect must be recorded as well. Although this is obvious, this is explicitly mentioned as of now. This is similar to "Right to Access" in GDPR and can be demonstrated by having procedures to follow up on such requests. For example, having a Form on Website or a Toll Free Number and having follow-up process.
Processing a request to delete data
Consumers need to be able to request you to delete their data from your records. GDPR has a similar requirement, with a process to respond to such requests within a Month.
Though the the CCPA process is similar, the verification of Consumer is a mandatory requirement. In addition, the request to know or delete, needs to be acknowledged within 10 days, and information regarding how it shall process the request needs to be communicated. In this case, we need to make sure to follow up within 45 days.
3rd party can provide a security process to verify the identity of the consumer who makes a request to business. However it's subject to more CCPA rules!
Deny, but comply as much as you can - In case the Consumer is not verified, but had made a request to Delete their Data, at least mark them as Marketing Suspended, or Opt-Out from other procedures to demonstrate compliance.
A consumer should be able to opt-out from you selling their information
Place a link on your website saying “Don’t sell my data”. Develop procedures to follow up on such requests. (This is not applicable if you do not sell* data)
“One method which can help digital-verify the Consumer can be highlighted by the following - if the "Don't Sell My Data" link takes the consumer to a form, a simple email address should be fine, and the consumer can be verified by double opt-in via a single click in the confirmation email. However, it would be even better if we can take the consumer to a new form from the confirmation email, with a stress on the message, that their data shall be deleted - this could be a bit more affirmative online verification of the Consumer” - Saurabh Tyagi
CCPA doesn't yet clearly mentions if this is a suitable case to verify - per the current draft, the verification just needs to be reasonable. This is similar to Marketo asking a second time if we're okay to delete some # of records.
Provide notice to consumers
Before, or at the time you collect their data, similar to the check-box method below the form where you collect data, provide notices. Ensure that language used at such notices is plain, straightforward and avoids technical, or legal jargons! In addition to being straightforward, the notice must draw attention of a consumer.
Maintain record for “how you responded”
This needs to be maintained for 24 Months - starting with whenever a request is made. One way to achieve this is by alerting a staff member, and then having an internal ticket log system to manage maintenance. This rule requires the business to make someone accountable.
We need to log the way we responded, whenever such requests are made*. These could mean different ways, but a ticket log by an accountable member seems most simple. Or just having a spreadsheet updated based on the type of activities - E.g. Received Request, Received Request Data, Acknowledged Request, Categorized Request, Processed Request and so on, with details attached.
*A business’s maintenance of the information required by this section, where that information is not used for any other purpose, does not taken alone violate the CCPA or these regulations
It’s so common to hear tech companies say: “Privacy is not a privilege; it is a fundamental right” that those words have become a cliche. People have become desensitized to hearing companies say, “we value your privacy,” and are worn out from being asked to accept privacy policies that they rarely, if ever, even read. Many companies make these declarations without even showing people what actions they are taking to protect their privacy. And let's be honest, we have room for improvement too - Twitter
Have you attempted some of the above work? What are your Anticipations for the regulation being applied for Privacy of world's 5th largest economy? CCPA is much more comprehensive than we can cover in one post, however looking for thoughts and ideas!