1 Executive Summary
From January 1st, 2020, when the California Consumer Privacy Act (CCPA) came into force, the requirements for managing the personal data of California consumers has changed. This legislation has secured new privacy rights including the “right-to-know”, the “right to delete”, the “right to opt-out”, and the” right to non-discrimination”. While the Attorney General of California cannot bring an enforcement action under CCPA until July 1st, 2020[^1] you need to prepare now. This report identifies six key actions that IT needs to take to ensure compliance. The key steps that you need to take are:
- Discover the PII data: the first and most important step is to discover the Personally Identifiable (PII) Data that is held in your IT systems.
- Categorize the data - to ensure that you not only know what data you hold but also which data is within the scope of the legislation.
- Manage Consumer Identities – in order to be able to support the new consumers’ rights as well as to identify those that are within the scope of this legislation you need to manage their identities.
- Manage Consumer Rights – you will need to adapt consumer facing systems and set up processes to support the new privacy rights that consumers have under the legislation
- Manage third party processors – the above also apply where data is held or processed by a third party such as a cloud service.
- Implement Privacy Engineering – this is an approach, to the design and implementation of data processing systems to ensure that they reliably meet the requirements for processing personal data in a trustworthy and compliant manner.