California Consumer Privacy Act (CCPA): What’s Required and How to Comply
With the California Consumer Privacy Act about to go into effect, the time is now to make sure your company is preparing to adhere to the new requirements. Mike DeAndrea, GRC Practitioner and Advisory Solution Architect at Milestone shares the important information you need to know to achieve and maintain CCPA compliance.
When does my company need to comply with the CCPA?
The new California Consumer Privacy Act goes into effect on January 1, 2020 and becomes enforceable by the State Attorney General’s office six months later on July 1, 2020.
Which companies does the CCPA affect?
The California Consumer Privacy Act applies to any company anywhere in the world that meets certain minimal thresholds and that collects, processes, or sells the personal information of any California resident.
If your company generates annual revenues of $25 million or more, it must comply. Even if it generates less than $25 million it must still comply if it collects information on more than 50,000 California consumers annually or if it generates more than half of its revenues by selling the personal information of California residents.
What is the CCPA?
At its core, the CCPA grants California consumers greater transparency and control of their personal information. Specifically, it grants Californians three primary rights:
- The right to know what information a company has collected about them, how that information is being used, and with whom that information is being shared. This is also known to as the ‘right to access.’
- The right to request that a company delete their personal information. This is also known as the ‘right to erasure.’
- The right to request that the company stop sharing/selling their personal information. This is also known as the ‘right to opt-out.’
The law also requires that companies completely and accurately fulfill verified consumer requests within 45 days of receiving the request.
To comply with these requirements, companies need to:
- Enable consumers to exercise their rights – typically by providing a form on their primary website for submitting ‘Consumer Rights Requests.’
- Establish processes for verifying, fulfilling, tracking, and responding to all requests received within the 45-day mandate.
- Enhance their data management processes to ensure they understand what personal data has been collected, where it came from, where it is stored, and with whom it is shared.
- Establish data security processes to safeguard the personal information they’ve collected.
And, once all these processes are in place, they need to be monitored to ensure the organization remains continually compliant and audit ready.
How can Milestone help me achieve California Consumer Privacy Act compliance?
Milestone can help you implement a robust California Consumer Privacy Act compliance assurance program that leverages your investment in ServiceNow to:
- Create (or integrate with) your CCPA Consumer Request Intake webform.
- Verify requests either directly or by integrating with a dedicated identity verification provider.
- Create and automatically route consumer requests for fulfillment based on request type.
- Create, automatically assign, and track specific tasks required to fulfill requests.
- Maintain an audit trail of all activities performed in fulfilling a request.
- Automate notifications to keep requestors informed of the status of their request.
- Implement and monitor service level agreements (SLAs) to ensure all requests are completed within 45 days.
- Implement dashboards to provide up-to-the-minute transparency into your CCPA profile.
- Establish a system of internal controls and continually monitor those controls to immediately detect and respond to non-compliance events.
In short, Milestone can help ensure your organization becomes and remains continually CCPA compliant and, by leveraging our extensive ServiceNow platform experience as well as our regulatory compliance expertise, you can rest assured that your CCPA compliance solution will be efficient, effective, scalable, and meet the unique needs of your organization.
Mike DeAndrea, GRC Practitioner and Advisory Solution Architect, Milestone
With more than 20 years of applied expertise in Governance, Risk, and Compliance, Mike helps Milestone customers understand how they can leverage the power of ServiceNow to meet their regulatory compliance needs in the shortest time. Mike has extensive experience both as a practitioner and a consultant. As a practitioner, he managed the compliance efforts of a large enterprise-wide IT operations department of a multi-billion-dollar, multi-national company for several years. As a consultant, Mike has been helping high-profile customers deploy GRC solutions in ServiceNow for over five years. He maintains a number of ServiceNow and industry certifications and specializes in designing compliance solutions that are not only effective but also highly efficient, that minimize the time to value, and that drive down the cost, burden, and impact of compliance on your organization.