Data Privacy & Regulation CCPA Readiness Quiz: Are You Prepared for Jan. 1, 2020? October 15, 2019 Ken Dreifach Is your organization ready for the CCPA? With Governor Newsom recently signing five amendments into law and draft regulation under review, the CCPA continues to grow more complex as January 1, 2020 approaches. Take our assessment quiz below to measure your CCPA readiness: Have you mapped all of the types of personal information (PI) that you receive? Yes, we are doing this! No, we’re hoping that the definitions of PI get amended and we won’t have to address this. No, we do not generally track which types of data we obtain. Have you determined whether and when you act as a business vs. a service provider vs. a third party (or, sometimes, more than one of those)? We are going to rely on the work we did for GDPR—it’s pretty much the same thing, right? No, we are going to wait and see what requests we get from our customers and vendors. Yes, we have figured this out–we know what we are. Based on discussions or contract amendments, have you determined whether you’ll be considered a service provider by your customers or data suppliers? Uh oh—we’re hoping this won’t happen. Yes, we are aware that this may occur and we have developed an approach to mitigate it. We’re relying on our sales team to field these requests as they come in and handle them appropriately. Do you ever sell personal information that you sourced from a data provider? If you do, can you meet the CCPA requirement that “explicit notice” was given to the consumer at the time of collection or through a subsequent communication? Our contracts aren’t that organized and we’re really not sure what they say. It would be annoying to try to figure this out. We’ve thought through the “explicit notice” requirements and we’ve determined that our current contracts and protocols comply—if and when this applies to us. What’s “explicit notice”? Do you provide a “Do Not Sell” link on your website or ensure that consumers whose data you sell are given a chance to opt out of that sale? We may sell data, but we think a “Do Not Sell” link is overkill. We’re waiting to see if California regulators give some more guidance on what constitutes a sale. We have an effective “Do Not Sell” link, page, and process or plan to have one by Jan 1, 2020. Do you always comply with contractual restrictions from your data suppliers or consumers, regarding your rights to use data? We’re careful about drafting and signing agreements, and we follow restrictions imposed on us. We don’t think our data suppliers really care about how we use their data, so long as they get paid. We don’t really know or track what our contracts say. If you need a “Do Not Sell” method, have you determined what that will be? As of now, we will have a toll-free phone number (unless that requirement changes) and a website-based method. We don’t really know—we’re going to wait and see. We’ll post something on our site, but we won’t have a toll-free number. If they ask, are you able to tell consumers whether you’ve sold their personal information in the last 12 months? Yes, we’ll be able to do this through logging functions that we either have in place now or are building. We can make an educated guess, but we won’t be able to say for sure. We’ll allow deletion. That should be good enough. Have you devised policies allowing consumers to delete and access their personal information? Yes, our policies are in place and we’ve mapped our data so we can respond to access requests. We’re having trouble figuring out what access we’re supposed to provide. We’re worried about providing consumers with access to their data. We just have so much of it, and they may get upset when they realize what we know about them. Have you decided on one or more “verification methods for when consumers wish to access their personal information? Yes, we have a verification method in place. If we have especially sensitive data, we’ll implement an extra verification step. No, we have a lot of online data, and verification of that information is impossible. We haven’t quite worked this out yet. Have you determined which data you’re allowed to keep after a deletion request or how you’re allowed to use data even after a deletion request? We haven’t thought that far ahead. Yes, we know we may be allowed to keep data for certain important purposes. We didn’t realize there was a difference between a “Do Not Sell” and a “deletion” request. Have you either excluded the possibility that you obtain personal information from children between 13 to 16, or set up processes to obtain their consent before selling their information? We didn’t realize this was covered under the CCPA. We’re compliant with COPPA, which should be enough. We don’t work with data from children under 16, and we have controls in place to ensure we don’t accidentally get that data. Ready to send Subscribe to RampUp Subscribe