On January 1, the California Consumer Protection Act (CCPA) went into effect, creating new protections for the personal data of California residents and new requirements for the businesses that process it.

The CCPA is state-specific but applies to many businesses that may not consider themselves to be under the purview of California law. Here’s how to determine how the CCPA applies to your organization and take the proper steps toward compliance.

1. Determine who you are under the CCPA

You should first determine if and how the CCPA applies to your organization. Is your organization a covered business? If so, is it “selling” personal data? Are you classified as a service provider or a third party? What about your vendors? Might your organization be multiple of these?

Your organization is covered if it is a for-profit entity that does business in California, collects the personal information of California residents, determines the purposes and means of processing that information, and at least one of the following applies: 

To note, under the CCPA, the term “sell” is defined broadly to include many actions that your business may not have regarded as sales. For example, placement of a third-party cookie on your website to enable advertising could fall within scope, as well as allowing vendors to analyze data for their own purposes. The CCPA definition of personal information is broad and includes cookies, a device identifier, pixel tags, customer number, information linked to a household and more.

2. Update your vendor contracts

Updating vendor or customer contracts is critical to compliance and limiting liability. In fact, for a vendor to be classified as a service provider under the law, a contract must be in place. To avoid the requirements associated with the “sale” of personal information, the stated expectation in contracts and other communication with vendors going forward may become that vendors have not and will not “sell” personal information.

This article guides you through the nuances of determining whether your organization or vendors are classified as service providers or third parties.

3. Update your privacy policy

Covered businesses need to update privacy policies and other relevant disclosures to ensure consumers are provided the information required by the CCPA at the appropriate time. It is important to note that information regarding the categories of personal information to be collected and the purposes for which the categories of personal information shall be used must be provided to the consumer at or before the point of collection.

Regarding privacy policies, businesses must disclose the following: 

4. Enable consumer requests, engagement and opt-out of data sales

Businesses need to create or confirm availability of processes to enable consumer requests. An important consideration at the outset is whether to adopt a global approach to consumer access requests or segment individuals depending on their location and the relevant legal requirements.

Immediate areas to enable include: 

5. Implement employee training

The CCPA requires that all individuals responsible for handling consumer inquiries about the business’s privacy practices or compliance with the law are informed of its requirements and how to direct consumers to exercise their rights.

Training on the law’s overall requirements, handling of access and deletion requests, and verification processes, as well as reasonable security practices (given the risk of harm caused by and private right of action associated with data breaches) are key areas to target.

With only 4% of firms considering themselves fully CCPA compliant by November 2019, there is a lot of work to be done in the new few months. Make sure you and your organization are ready, because July enforcements are just around the corner.

Caitlin Fennessy is Research Director at the International Association of Privacy Professionals (IAPP), where she helps to promote the privacy profession through empirical and qualitative research on privacy functions globally. Prior to joining the IAPP, Fennessy was the Privacy Shield Director at the US International Trade Administration. She has a master’s degree in public affairs from Princeton University and a bachelor’s degree in social policy from Northwestern University.