CCPA compliance
CCPA grants consumers the right to request a business to disclose the categories of personal data, sources from which that data is collected, the business purposes for collecting or selling the data, and what third parties the private information is shared. On January 1, 2021, these rights extend to employees.
What is CPRA?
CPRA amends the CCPA to create additional consumer privacy rights, such as the right of correction and the right to limit the use and disclosure of sensitive personal information.
It also establishes the California Privacy Protection Agency (CPPA), shifting rulemaking and enforcement authority from the California Attorney General to the new state agency.
CPRA effectively nullifies the debate, incorporating individuals’ ability to opt-out of the sharing of information — not just its sale — for behavioral advertising purposes. Businesses would have to disclose how long they keep data and ensure that the timeline is only as long as is “reasonably necessary."
CPRA goes into effect on January 1, 2023 with retroactive oversight into a company’s data practices as far back as January 2020.
How Mazars helps
Our experienced privacy specialists help organizations understand the risk exposure from the CCPA and define a clear plan to mitigate compliance risk in the areas of:
Privacy governance
- Policy development
- Privacy notice
- Vendor contract management
Data classification
- Privacy classification
- Data security controls
Compliance monitoring
- Risk assessment (PIA/DPIA)
- Demonstrate compliance
- Risk management program
- Data registry (RoPA)
Response
- Cure activities
- Consumer rights requests
- AG response
- Incident & data breach response
CCPA enforcements
- Who can Enforce? Enforcements are ordered by the California Attorney General
- Cost of Fines? $7,500 fine per violation, $100-$750 per incident or damages; whichever is greater
- Obligations? Disclose types of private data collected, processed, shared and sold
- Verify identity of consumer before fulfilling requests
- Respond to Consumer Rights request within 45 days
- Quality of service can not be reduced due to consumer objections
Common CCPA data challenges data controls
- Creating a control environment that maps regulator requirements
Data discovery
- Understanding where data is located and where it is shared inside and outside the company
Data classification
- Current state assessment of the data type, and data controls
Data management
- How to enforce rules and demonstrate compliance (Internal and 3rd party)
Data response
- Responding to data subject requests and breach notification to Attorney General and consumer
Data retention
- Understanding how to manage data retention across the organization
Technology
- Siloed systems
- Lack of interfaces
- Limited infrastructure
Workforce
- Limited personnel
- Integrated skill sets
- High cost