A quick reference guide for CCPA compliance

The California Consumer Privacy Act (CCPA) went into effect January 1, 2020. Is your organization prepared? Discover how the General Data Protection Regulation (GDPR) has paved the way for CCPA compliance initiatives.

The CCPA, effective January 1, 2020, will have a significant impact on corporate privacy initiatives across all sectors of the technology, media and entertainment, and telecommunications (TMT) industries. TMT companies that may still be in the process of compliance deployment for the European Union’cos (EU) GDPR have some advantages addressing the new requirements, but brands that are primarily focused on the United States and markets in the Americas largely avoided GDPR’s scope. Regardless, the rising tide of privacy concerns among consumers and legislatures globally is driving data privacy mobilization across TMT.

Considered one of the strictest privacy laws in the United States, CCPA provides California residents with the ability to control how businesses process their personal information. Businesses will now have to honor requests from California residents to access, delete, and opt out of sharing or selling their information. Additionally, businesses will have to consider a number of CCPA-specific requirements when updating their privacy programs, such as the CCPA’s prescriptive opt-out measures, and the need to stop selling consumer data upon an individual’s request.

How does the CCPA stack up to the GDPR?

Both the GDPR and the CCPA have a number of similarities. But the CCPA’s unique requirements require focused efforts on the part of businesses to achieve and maintain compliance. Organizations that have previously updated their governance mechanisms and operational implementations to comply with the requirements of the GDPR have an advantage over a business that wasn’t subject to the GDPR. A specific element is transitioning from a point-in-time GDPR project to a scalable, regulatory-agnostic, and efficient privacy program that can be responsive as privacy regulations stabilize and mature.

With clarification from lawmakers on elements of the CCPA still pending, organizations may not have a sense of urgency when it comes to getting their compliance programs ready. But TMT companies should have learned from GDPR that the level of effort for developing a compliance program can be a lengthy process, and it’s critical to get started as soon as possible.

Third-party risks increase with new privacy regulations

With both the GDPR and CCPA compliance, third-party risk management will likely be challenging for many organizations.

Any number of third parties potentially house an organization's data, including external vendors performing marketing, billing, or collections. Under the CCPA and the GDPR, the organization that gathers or processes the personal information is responsible for keeping that data private, which requires a contract in many circumstances.

Organizations should consider a thorough and complete review of existing contracts to inventory and determine which third parties might be collecting, processing, or retaining personal information on that organization’s behalf. Upon identifying those in-scope contracts, the next steps may include amending or renegotiating those contracts to achieve compliance. Additionally, consider different technologies to extract the privacy clauses involved and conduct an analysis against standards and regulatory provisions.