Notice of non-compliance with California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA)
The following CHECKLIST must be completed in order to comply with CCPA and CPRA 2023. Please answer the questions below and take applicable remediation actions in order to continue collecting and using data. A functioning data subject access request (DSAR) and privacy platform is required to continue to collect or use data for marketing, collect emails or personally identifiable information (PII) for loyalty programs or for sign-ups or for any marketing purposes. All point of collection (POC) disclosures and consents must be updated to comply with new data protection requirements. Ethnicity data is a specially protected PII and will require additional protections.
COMPLIANCE DEADLINE: DEC 31, 2022 – CPRA penalties begin JAN 1, 2023
CPRA QUESTIONNAIRE
The CPRA applies to certain entities that process Californians’ personal information. It takes effect on January 1, 2023 although the CCPA continues to apply until that time.
1. Is your organization operated for the profit or financial benefit of its shareholders or other owners?
a. Yes – Proceed to the next question.
b. No – The CPRA does not apply.
2. Does your organization conduct business in the state of California or with people in California?
a. Yes – Proceed to the next question.
b. No – The CPRA does not apply.
3. Does your organization collect consumers’ personal information?
a. Yes – Proceed to the next question.
b. No – The CPRA does not apply
If you have answered yes to all questions 1-3, your organization must comply with the CPRA. If not, please continue on to questions 4-6.
4. Does your organization have $25 million or more in gross revenue in the preceding calendar year?
a. Yes – The CPRA applies.
b. No – Proceed to the next question
5. Does your organization buy, sell or share the personal information of 100,000 or more consumers or households in a year?
a. Yes – The CPRA applies.
b. No – Proceed to the next question.
6. Does your organization derive 50% or more of its annual revenue from selling or sharing consumers’ personal information?
a. Yes – The CPRA applies.
b. No – The CPRA may not apply.
If you have answered yes to one or more of questions 4-6, your organization must comply with the CPRA.
CHECKLIST
1. Obtain board-level support and accountability.
• Advise the board about privacy risks and the benefits of CPRA compliance
• Obtain management support for your CPRA compliance program
• Assign accountability for CPRA compliance
2. Reporting and developing a detailed gap analysis.
• Review the CPRA to understand its requirements
• Audit your privacy and security programs against the CPRA’s requirements
• Determine which compliance gaps require remediation
3. Data Mapping. Create a personal information inventory and data flow maps. California consumers have the right to know what personal information is collected, processed, sold, and shared – as well as the source of that information. In order to do so, please identify:
• Number of consumers whose personal information is being processed
• Categories of personal information collected from consumers
• Business purpose(s) for processing this information
• Source(s) of personal information
• Third parties and service providers with which your organization shares, sells, or discloses personal information
• Categories of personal information are being sold, shared, or disclosed
4. Update all Disclosures, Terms and Conditions and Consents to comply with CPRA 2023.
Privacy notice
Does your organization’s privacy notice:
• List the categories of personal information and sensitive personal information collected or used;
• List the categories of sources from which that information is collected;
• Describe the purposes for which the information is collected and used;
• Outline the length of time that the business intends to retain each category of personal and sensitive personal information;
• List the categories of information sold, shared, or disclosed for a business purpose, and the purpose for doing so;
• Explain the categories of third parties to whom information is disclosed;
• Discuss consumer rights under California law, and provide 2 or more methods for consumers to exercise those rights (including the right to deletion and the right to request specific pieces of information;
And:
• Is your organization’s privacy notice updated at least every 12 months?
If you answered no to any or all these questions, you will need to update the privacy policy.
Access requests
• Do you have two or more methods through which consumers can submit access requests (potentially including a toll-free telephone number)?
• Does your organization have mechanisms in place to verify the identity of people requesting information?
If you answered no to either of these questions, you will need to develop processes with respective policies related to consumer access requests. These are similar requirements in the EU’s General Data Protection Regulation (GDPR).
Selling personal information
Does your organization sell personal information?
If you answered yes, consider the following questions:
• Is there a clear and conspicuous link on your Internet homepage titled, “Do Not Sell or Share My Personal Information”?
• Are mechanisms in place to respond, and limit the disclosure of data?
• Can personal information be deleted in response to a deletion request?
• Are appropriate mechanisms in place to ensure the requested information is deleted from their records?
• Have all service providers and/or contractors (as defined by the CPRA) been identified?
• Are appropriate contracts in place?
If you answered no, your organization should review its data mapping initiatives and contracts.
5. Implement processes and technical measures to secure personal information
• Are there processes in place to keep personal information accurate, correct, and up to date?
• Is personal information stored in a confidential and safe manner (whether physically or electronically)?
• Can personal information be pseudonymized, anonymized, deidentified, or aggregated?
• Can personal information be encrypted or redacted? Are IT systems and services regularly tested for security vulnerabilities or enhancements?
• Has your organization implemented a risk control or security management framework?
If you answered no, you will need to set up an overall information security policy/implement security management framework. Implementing an ISMS (information security management system) that conforms to the international standard ISO/IEC 27001:2013 is highly recommended.
6. Data breach notification
• If your organization suffers a data breach, do you have a mechanism to notify affected CA residents?
• Does the notification form include all the requirements listed in Cal. Civ. Code § 1798.82(d)?
If you answered no, you will need to develop policies and procedures related to incident response and data breach notification.
7. Children’s data
• Are appropriate opt-in mechanisms in place regarding the selling or sharing of children’s data, age 13 to 16?
If you answered no, you will need set up a policy and supporting processes to obtain valid opt-in before processing children’s personal information.
8. Ensure your employees are trained and competent
Any staff involved in processing personal information must understand the CPRA’s requirements and know how to maintain good data hygiene.
• Do all employees understand the importance of protecting personal information, basic CPRA principles, and the procedures to ensure compliance?
• Are all individuals responsible for managing consumer inquiries trained on consumer rights under the CPRA and how to respond to consumers?
If you answered no, you will need to set up a training and awareness program so that all staff responsible for handling consumer inquiries related to privacy are trained on the CPRA generally, consumer rights specifically, and your organization’s processes for managing and responding to consumer requests for information.
9. Monitor and audit compliance
Complying with the CPRA is an on-going process. Periodic internal audits will ensure your activities remain up to date and that you will not fall out of compliance. You should:
• Schedule regular audits of personal data processing activities and security controls
• Keep records of personal data processing up to date
• CPRA requires a 2 year record keeping period for all DSAR requests and outcomes
10. CPRA and marketing
Will you be collecting data for marketing purposes?
• Direct mail
• Email marketing
• SMS
• Social media marketing
• Ethnic or segmented marketing (Asian marketing, language preferred marketing)
• Website
• Digital advertising
If you answered yes, then data processing agreements (DPA) will need to be in place with all third parties that provide processing/collection services. Terms and conditions as well as all privacy policies will need to be updated accordingly to comply with CPRA. Ethnicity data is a specially protected data field and requires a higher level of protections and rights.
11. Do you collect and use transactional data? Do you have a loyalty rewards program that has PII? Do you collect internal information on employees? Health or other special PII (vaccination status, biometrics, etc).
If you answered yes to any of the questions above, then DPA’s will need to be in place with all third parties that provide processing/collection services. Terms and conditions as well as all privacy policies will need to be updated accordingly to comply with CPRA. Health and biometric data are specially protected data fields and will require additional levels of protection for CPRA compliance.
ACTION ITEMS
1. Update all applicable items identified on CHECKLIST.
2. Remediation of Consumer Disclosures, Terms and Conditions and Consumer Consents at all Points of Collection (POC).
3. Data mapping is required for 2022 Lookback on all data collected and used prior to CPRA 2023.
4. Ensure a functioning DSAR that can track inbound requests and provide a system for remediation and flow of communications with Data Subjects, as well as authenticate all requests.