On January 1, 2020, the California Consumer Privacy Act went into effect—becoming the strictest data privacy law in United States history. But, what does this mean for businesses? Do businesses need to change how they collect and process personal information? The short answer is, yes. With the deadline now behind us, companies must be prepared to respond to consumer requests for information.
Businesses Will Face Tough Challenges Responding to Requests for Personal Information
Consider, for example, your business receives 50 data requests asking for disclosure about how it collects, uses, and shares personal information, and for a copy of the specific pieces of personal data it collected about the requesting individuals during the past 12-months. You have 45 days to respond. What do you do? Shut down business operations while you frantically search for the personal information? Of course, this isn’t the answer.
Overcoming the Challenge of Data Requests
The solution is to build a data inventory and a data flow map to understand the personal data processing activities within the company. The CCPA includes 11 categories of personal information, which means that data must be organized and recorded into the specific category of personal information as defined under the CCPA. As a result, companies must learn:
- which types of personal information they collect and share,
- the purposes for which they use it,
- where, for how long, and on what systems they store personal information, and
- the parties with whom they share personal information.
How Far Back Must Companies Maintain Data Inventories?
The CCPA requires that companies provide records of personal information covering the 12 months preceding the date of the verified consumer request. For more information about the CCPA’s 12-month look-back requirement, check out our article CCPA 12-Month Look-Back Provision.
Will My GDPR data Inventory Satisfy the CCPA’s Requirements?
Companies that have already developed GDPR data inventories must also adapt to meet the unique requirements under the CCPA. For example, under the CCPA, inventories should have columns flagging personal information likely to be exempt under the act. This includes, for example, personal information that was collected more than 12-months ago or certain sector-specific categories of personal information that are expressly excluded under the act such as certain health or financial information covered under HIPAA or the GLBA, respectively.
Not only will data mapping and inventorying ensure businesses access the specific data they need exactly when they need it, but it will also help prevent companies from over-complying and absorbing unneeded expenses.
Practically speaking, you want to comply, but also utilize data appropriately and achieve more than compliance.
With the CCPA’s July 1 enforcement deadline rapidly approaching, now is the time to prepare your business to respond to consumer requests and meet the compliance challenges posed by the CCPA.
Rather than accept the risk of noncompliance, reach out to our team of privacy professionals today and let us help your business achieve CCPA compliance. Click here to Schedule an appointment for a time that works best for you.
We look forward to hearing from you.