CCPA Compliance Checklist

1. CCPA Compliance Scope

Annual Gross Revenues Above $25 Million: Ensure your organization meets the revenue threshold.
Personal Information of 50,000+ Consumers: Verify if you possess data of this magnitude.
More Than Half Revenue from Selling Personal Information: Assess your revenue sources.

2. Disclosures

2.1 Notice Before the Point of Collection

Display Consent Notice Before Data Collection: Ensure no personal information is collected before showing the consent notice.
State Categories of Personal Information and Purpose: Clearly outline what data is collected and why.
Include 'Do Not Sell My Personal Information' Link: If applicable, provide an opt-out link.
Provide Link to Privacy Notice/Policy: Direct users to your comprehensive privacy policy.
Update Consent Notice When Collecting More Data or Changing Purpose: Refresh the notice as needed.

2.2 Privacy Notice/Policy

Categories of Personal Information Collected: Detail the types of data you collect.
Purpose of Data Collection: Explain why you are collecting each type of data.
Categories of Sources: Identify where the personal information is sourced from.
Categories of Personal Information Sold/Shared/Disclosed: Specify what data is shared and with whom.
Categories of Third Parties Shared With: List the third parties receiving the data.
Describe Consumer Rights and Exercise Process: Outline how consumers can exercise their rights under CCPA.
Provide Business Contact Information and Notice Update Date: Ensure consumers can reach you and know when the policy was last updated.
Process for Minors' Personal Information: Include opt-in/opt-out procedures for minors under 16.
Financial Incentive Policy: If offering incentives, detail how consumer data is evaluated and how to opt-in/out.
DSR Metrics for High Volume Data Handling: Track and report data subject request metrics if handling over 10,000,000 PI annually.

3. Data Types Regulated by the CCPA

Define Personal Information: Clearly identify what constitutes personal information under CCPA.
List Examples of Personal Information: Include names, addresses, financial info, behaviors, etc.
Identify Inferred Personal Information: Recognize data inferred from consumer behavior.

4. Selling Personal Information

Operationalize 'Do Not Sell': Ensure personal information is not sold within 15 days of opt-out requests.
Sign and Enforce Agreements with Service Providers: Comply with CCPA requirements before sharing PI.
Provide Opt-Out for Consumers Aged 16 or More: Allow them to opt-out of selling their personal information at any time.
Detect and Accept Global Opt-Out Signals: Recognize browser settings and other global opt-out preferences.
Notify Consumers Before Third Parties Use Sold PI: Inform consumers if third parties use their sold PI for different purposes.
Stop Selling PI of Individuals Aged 16 or Younger Without Consent: Implement processes to prevent unauthorized PI sales.
Limit Subsequent Sale by Service Providers: Restrict service providers from selling PI if consumer opts out.
Honor Opt-Out Requests for 12 Months: Do not attempt to re-obtain consent within this period.

5. The Right to Access

Provide Multiple Access Request Options: Offer an 800 number and an online method (e.g., web page).
Verify Consumer Requests: Implement secure verification methods (e.g., secure email).
Provide Personal Information Within 45 Days: Respond promptly to access requests.
Identify Sources and Purpose if PI Was Sold: Inform consumers about data sources and third-party recipients.
Include Required Information in Access Requests: Categories of PI collected, sources, purposes, and third parties.
Track Personal Information Locations: Ensure all data systems are mapped to fulfill access requests.

6. The Right to Deletion

Implement Deletion Request Process: Allow consumers to request complete data deletion via forms or portals.
Verify Deletion Requests: Use collected information to authenticate requests.
Determine Deletion Exceptions: Identify if any data retention exceptions apply.
Permanently Erase Personal Information: Remove data from all active systems except backups.
Direct Service Providers to Delete PI: Ensure third parties also delete the consumer’s data.
Ensure Data Isn’t Required for Specific Purposes: Confirm data isn’t needed for transactions, security, errors, free speech, research, legal compliance, etc.

7. Cybersecurity

Implement CIS Critical Security Controls: Adopt the 20 CIS controls to safeguard personal information.
Establish Data Breach Response Protocols: Prepare to handle breaches and notify affected consumers promptly.
Train Staff on Cybersecurity Measures: Ensure employees understand and follow security protocols.
Conduct Regular Cybersecurity Risk Assessments: Identify and mitigate potential security threats.

7.1 Implement CIS Critical Security Controls

1. Inventory of Authorized and Unauthorized Devices: Maintain a detailed inventory of all devices connected to the network.
2. Inventory of Authorized and Unauthorized Software: Track all software applications in use within the organization.
3. Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers: Apply security configurations to all devices and software.
4. Continuous Vulnerability Assessment and Remediation: Regularly scan for vulnerabilities and address them promptly.
5. Controlled Use of Administrative Privileges: Restrict administrative privileges to essential personnel only.
6. Maintenance, Monitoring, and Analysis of Audit Logs: Keep detailed logs of system activities and monitor them for suspicious behavior.
7. Email and Web Browsing Protection: Implement security measures to protect against email and web-based threats.
8. Malware Defense: Deploy anti-malware solutions to detect and prevent malicious software.
9. Limitation and Control of Network Ports, Protocols, and Services: Restrict unnecessary network ports, protocols, and services.
10. Data Recovery Capability: Ensure data can be recovered in case of loss or corruption.
11. Secure Configurations for Network Devices such as Firewalls, Routers, and Switches: Apply secure settings to all network infrastructure devices.
12. Boundary Defense: Implement measures to protect the network perimeter from unauthorized access.
13. Data Protection: Encrypt sensitive data and manage encryption keys securely.
14. Controlled Access Based on the Need to Know: Ensure access to data is granted based on necessity.
15. Wireless Account Control: Secure wireless networks and manage access credentials.
16. Account Monitoring and Control: Monitor user accounts for suspicious activities and enforce account controls.
17. Security Skills Assessment and Appropriate Training to Fill Gaps: Evaluate and enhance the cybersecurity skills of your team through training.
18. Application Software Security: Implement security best practices in software development and maintenance.
19. Incident Response and Management: Develop and maintain an incident response plan to handle security breaches.
20. Penetration Tests and Red Team Exercises: Conduct regular penetration testing and red team exercises to identify and address vulnerabilities.

8. Privacy Training

Train Compliance Professionals: Educate staff handling consumer inquiries on CCPA rights and procedures.
Provide Ongoing Privacy Training: Use online courses and training modules to keep staff updated.
Train Staff on Handling Inquiries: Ensure employees know how to respond to data access and deletion requests.

9. CCPA Compliance Checklist

Update Privacy Policies: Ensure privacy policies are compliant with CCPA requirements.
Create Methods of Accessibility: Establish easy methods for customers to request data access and deletion (e.g., toll-free number).
Implement Verification System: Verify consumer identities before providing access to personal information.
Enhance Data Governance: Prepare records, data maps, and inventories of California consumers' personal data.
Add Opt-Out Button: Facilitate easy opt-out from the sale of personal information.
Obtain Consent from Minors: Develop processes to obtain consent from minors (13-16 years) or parental consent for those under 13.

10. Risk of CCPA Non-Compliance

Maintain CCPA Compliance: Continuously adhere to CCPA regulations to avoid fines and lawsuits.
Respond to Consumer Requests: Ensure timely and accurate responses to data access and deletion requests.
Provide Adequate Notice: Inform consumers about data collection and usage practices.
Offer Opt-Out Options: Allow consumers to opt-out of selling their personal information.
Avoid Discrimination: Do not discriminate against consumers exercising their CCPA rights.
Prevent Data Breaches: Implement robust cybersecurity measures to protect personal information.

Additional Best Practices

Conduct Cybersecurity Assessments: Regularly evaluate and strengthen your security measures.
Maintain Data Inventories: Keep detailed records of all personal data collected and processed.
Automate Compliance Processes: Use tools and technologies to manage data requests and ensure compliance efficiently.

How to Use This Checklist

Review Regularly: Schedule periodic reviews of each checklist item to ensure ongoing compliance.
Assign Responsibilities: Designate team members responsible for each compliance task.
Update as Needed: Modify the checklist to reflect changes in your data processing activities or CCPA updates.