What do organisations need to know about the CCPA?

Organizations across the U.S. have a new law to deal with when processing personal information – the CCPA (California Consumer Privacy Act).

The CCPA requires organizations to tell California residents when their personal data is being collected and what it’s being used for. Consumers also have the right to:

  • Access the personal information that organizations collect or process about them
  • Request that organizations delete their personal data under certain circumstances
  • Request that organizations stop selling their personal data to third parties

So, what should organizations do to make sure they’re compliant? You can find out by reading my comprehensive handbook: The California Consumer Privacy Act (CCPA) – An implementation guide.

As a consultant for IT Governance USA, I specialize in data privacy risk and compliance projects, from data inventory audits to gap analyses, contract management, and breach remediation.

With experience in a variety of industries, I have a strong understanding of the legal issues presented by regulatory frameworks, and the business impact of privacy regulations like the CCPA.

An extract

Curiously, there is wording buried in subparagraph (a)(2) of section 130 that contains language similar to the GDPR’s “right to data portability.” Article 20 of the GDPR states:

The data subject shall have the right to receive the personal data concerning him or her […] in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance […]

The CCPA, meanwhile, requires responses to verifiable consumer requests to be provided “in a readily useable format that allows the consumer to transmit this information from one entity to another entity without hindrance.” Considering this requirement applies to both categories and specific pieces of information, organizations must be able to respond completely to consumer requests, which means that they must be able to identify and gather the necessary information, and provide it to the consumer in the appropriate format.

This will likely require data mapping or data flow audits that help track what data is collected from consumers, how that data is used, and where it is stored. In turn, this will help personnel reply to verifiable consumer requests, because they will ideally have access to a controlled repository where they can quickly filter and search for key data elements related to a consumer, along with additional information related to the organization’s use or intended business purpose for the data.

Learn more about the CCPA

The California Consumer Privacy Act (CCPA): An implementation guide contains everything you need to know about the new rules.

IT Governance USA can also help if you’re looking for more specific support, with a dedicated CCPA training course, and consultants such as myself ready to give you hands-on guidance completing a CPPA gap analysis.