Implement CCPA Compliance in Your Organization
After completing this unit, you’ll be able to:
- Describe different activities that organizations can undertake to build towards CCPA compliance.
- Explain how Salesforce helps customers comply with the CCPA.
The CCPA is a complex law that will require resources and people to be dedicated to ensuring organizations meet all the requirements. Adding to the complexity is the fact that since it was signed into law in the summer of 2019, the CCPA has been amended several times and future regulations (like the California Privacy Rights Act) are likely to only expand Consumer rights and obligations for Controllers.
The following is intended to provide a brief and general overview of some basic components any CCPA compliance strategy should include. But by no means foolproof, nor should it serve as legal advice. The most important thing you can do to help your Business comply with the CCPA is consult with experts on how to build a compliance program that fits your Business and meets the requirements under the law.
Tuning Privacy Notices and Disclosures
When GDPR went into effect in 2018, companies all over the world updated their privacy policies and disclosures to comply with the new rules. The CCPA likewise requires Businesses to update their privacy policies and notify individuals of the changes. Additionally, Businesses that Sell Personal Information have to incorporate “Do Not Sell My Personal Information” links on their websites. Every Business collecting the Personal Information of California Consumers has to make changes to their public disclosures. And since regulations and interpretations of the law will be forthcoming for years to come, it is likely that disclosures and policies will require more updates as requirements are clarified and details about enforcement come to light over time.
Responding to Consumer Requests
The CCPA has many specific requirements and rules. One of the most important decisions every organization impacted by the CCPA will have to make is how to handle requests by Consumers wishing to exercise their rights under the CCPA. It is important to make it easy for Consumers to submit data access requests. The CCPA has specific minimum requirements, but nothing stops a Business from making things even easier if possible.
Additionally, verifying the identity of Consumers is essential to make sure sensitive information is not shared with the wrong person. After verifying that the Consumer is who they say they are and that the request is lawful, Businesses must respond to rights requests within 45 days and disclose and deliver the appropriate information and take the necessary action requested by the Consumer. Therefore, it is important that processes and procedures be implemented to meet the 45-day deadline for every request.
Do Not Sell My Personal Information
Under the CCPA, every Business engaged in activities that constitute a Sale under CCPA must provide a clear and conspicuous “Do Not Sell My Personal Information” link on their website that directs users to a web page enabling them to opt out of the Sale of their Personal Information. Businesses must update their websites to include this link and ensure it points to a functioning web page that allows Consumers to opt out of the Sale of their information.
Because Sale is described so broadly in the CCPA, this opt-out process must be managed carefully to ensure the Consumer’s Personal Information is not inadvertently shared or used in a way that constitutes a Sale under the CCPA after the Consumer has opted out. As regulations are provided and the CCPA is interpreted by the Attorney General of California and the courts, there will likely be more clarity on what is and what is not a Sale under the CCPA. Meanwhile, it’s important to carefully analyze all of your Businesses’ use cases to ensure you are tracking when Personal Information is Sold so you can honor opt out requests quickly and effectively.
Protecting Against Data Breaches
Businesses should take measures to ensure that their collection and processing of Personal Information is done while applying reasonable security procedures and practices appropriate to the nature of the information itself. One approach to protecting against data breaches is to implement a risk-based security program that identifies the security vulnerabilities of an organization and then takes measures to mitigate those risks. Because the CCPA (like GDPR) has a reasonableness standard when it comes to security, by taking a risk-based approach to breach prevention, Businesses can ensure a high degree of security while limiting their risk of exposure to lawsuits (CCPA gives Consumers the right to sue in certain limited instances) and most importantly, protecting Consumers.
Salesforce and the CCPA
Salesforce has carefully prepared for the CCPA. In relation to our customers, Salesforce qualifies as a Service Provider under the CCPA and is dedicated to helping our customers comply with the CCPA when using our services. Our customers who previously signed our Data Processing Agreement (DPA) likely already have adequate terms meeting the requirements of the CCPA. Nonetheless, we have a new DPA available on our website that includes terms specifically designed for the CCPA and customers can transition to the new DPA if they prefer to.
Salesforce will continue to monitor developments surrounding the CCPA to ensure we do all we can to comply with the law and help our customers comply as well.
Let’s Sum It Up
The CCPA is complex and requires all stakeholders to change the way Personal Information is managed. By working together, we can make sure we comply with the CCPA, allow people to exercise their rights, and improve how we protect everyone’s privacy.