Implement CCPA Compliance in Your Organization
After completing this unit, you’ll be able to:
- Describe different activities that organizations can undertake to prepare for the CCPA.
- Explain how Salesforce helps customers comply with the CCPA.
The CCPA is a complex law that requires resources and people dedicated to ensuring organizations meet all of the requirements. Adding to the complexity is the fact that since it was signed into law in the summer of 2019, the CCPA has been amended several times and future regulations (provided by the California attorney general) are likely to include more details and requirements as to the specifics of compliance.
The following is intended to provide a brief and general overview of some of the basic components any CCPA compliance strategy should include. But by no means is this legal advice or foolproof. The most important thing you can do to help your Business comply with the CCPA is consult with experts on how to build a compliance program that fits your Business and meets the requirements under the law.
Tuning Privacy Notices and Disclosures
When GDPR went into effect in 2018, companies all over the world updated their privacy policies and disclosures to comply with the new rules. The CCPA similarly required Businesses to update their privacy policies and notify individuals of the changes. Additionally, Businesses that Sell Personal Information had to incorporate “Do Not Sell My Personal Information” links on their websites. Every Business collecting the Personal Information of California Consumers had to make changes to their public disclosures. And since regulations and interpretations of the law will probably be forthcoming for years to come, it is likely that disclosures and policies will require more updates as requirements are clarified and details about enforcement come to light over time.
Responding to Consumer Requests
The CCPA has many specific requirements and rules. One of the most important decisions every organization impacted by the CCPA will have to make is how to handle requests by Consumers wishing to exercise their rights under the CCPA. It is important to make it easy for Consumers to submit data access requests. The CCPA has specific minimum requirements, but nothing stops a Business from making things even easier if possible.
Additionally, verifying the identity of Consumers will be essential to make sure sensitive information is not shared with the wrong person. After verifying that the Consumer is who they say they are and that the request is lawful, Businesses must respond to rights requests within 45 days and disclose and deliver the appropriate information and take the necessary action requested by the Consumer. Therefore, it is important that processes and procedures be implemented to meet the 45-day deadline for every request.
Do Not Sell My Personal Information
Under the CCPA, every Business engaged in activities that constitute a Sale under CCPA must provide a clear and conspicuous “Do Not Sell My Personal Information” link on their website that directs users to a web page enabling them to opt out of the Sale of their Personal Information. Businesses will have to update their websites to include this link and ensure it points to a functioning web page that allows Consumers to opt out of the Sale of their information.
Because Sale is described so broadly in the CCPA, this opt out process must be managed carefully to ensure the Consumer’s Personal Information is not inadvertently shared or used in a way that constitutes a Sale under the CCPA after the Consumer has opted out. As regulations are provided and the CCPA is interpreted by the Attorney General of California and the courts, there will likely be more clarity on what is and what is not a Sale under the CCPA. Meanwhile, it’s important to carefully analyze all of your Businesses’ use cases to ensure you are tracking when Personal Information is Sold so you can honor opt out requests quickly and effectively.
Protecting Against Data Breaches
Businesses should take measures to ensure that their collection and processing of Personal Information is done while applying reasonable security procedures and practices appropriate to the nature of the information itself. One approach to protecting against data breaches is to implement a risk-based security program that identifies the security vulnerabilities of an organization and then takes measures to mitigate those risks. Because the CCPA (like GDPR) has a reasonableness standard when it comes to security, by taking a risk-based approach to breach prevention, Businesses can ensure a high degree of security while limiting their risk of exposure to lawsuits (CCPA gives Consumers the right to sue in certain limited instances) and most importantly, protecting Consumers.
Salesforce and the CCPA
Salesforce has carefully prepared for the CCPA. In relation to our customers, Salesforce qualifies as a Service Provider under the CCPA and is dedicated to helping our customers comply with the CCPA when using our services. We think our customers who previously signed our Data Processing Addendum (DPA) likely already have adequate terms meeting the requirements of the CCPA. Nonetheless, we have a new DPA available on our website here, that includes terms specifically designed for the CCPA and customers can transition to the new DPA if they prefer to.
Salesforce will continue to monitor developments surrounding the CCPA to ensure we do all we can to comply with the law and help our customers comply as well.
Let’s Sum It Up
The CCPA is complex and requires all stakeholders to change the way Personal Information is managed. By working together, we can make sure we comply with the CCPA, allow people to exercise their rights, and improve how we protect everyone’s privacy.