What are the steps for CCPA Compliance?

17 Actionable Steps – A Complete Guide For CPRA Compliance

Imagine getting ready for CPRA compliance in a short period of time. GDPR compliance took you a lot of time and money. Now, the CPRA – California Privacy Rights Act goes into effect on Jan 1, 2023. And, enforcement includes data you collected starting Jan 1, 2022. You do not have much time. You have several other priorities as well. What if you could follow a simple step-by-step process to get ready for CPRA in one week?

Or even better.. What if there is a complete guide for CPRA compliance? … and each of these 17 steps are easy to follow and implement. Nearly all of these 17 steps cost you no additional money. You are probably eager to read and follow these steps.

This is exactly what I am going to share with you in this post. 17 practical and actionable steps that you could use for CPRA Compliance in One Week or Less.

What are the steps for CPRA Compliance?

1. Does CPRA compliance apply to your business?

2. Deploy privacy request intake management

3. Determine categories of data (personal information) you collect

4. List reasons for collecting data for each category

5. List sources of data collection

6. Scan website and list all cookies you use

7. Get a list of all cloud and internal apps that store personal information

8. Review privacy clauses in your partner/supplier agreements

9. Amend privacy clauses in your customer agreements

10. Update privacy policy on your website

11. Send notices to partners with your privacy policy

12. Send notices to customers with your privacy policy

13. Assess vendor compliance risk

14. Deploy privacy APIs to access data for privacy requests

15. Prevent data breaches from your endpoints

16. Deploy a network DLP

17. Deploy Cloud DLP (Offce 365 DLP)

…and once you are done, please share and comment on how long it took you to get ready for CPRA compliance using these 17 actionable steps.

1. Does CPRA compliance apply to your business?

Look, there is a lot of blogs out there that outline the law. They detail out how CPRA applies to your business. For example, you are a business in California, and have a revenue of $25 Million or more, or have information about 100,000 California consumers. This is exhaustive.

Let’s make this as simple as an easy button:

Are you a non-profit company?

If you answer is Yes, and if you parent company is also a non-profit company, then save time and skip reading this entire blog, and go watch Netflix.

Is your business in any way related to California?

If your answer is No, then what are you still doing here? Go and play a round of golf. Let me explain my usage of the word related. It means your business is registered in California. Or, you have revenue from California consumers. Or, you pay any taxes in California. Or, you own any property in California. Now, the next questions get a bit tricky….

Is your annual revenue in the next twelve months more than $25 Million?

If your answer to this is Yes, then skip this section and move to step 2. I simply ask you to start taking action. You now have one more urgent project. This question is tricky because it may not be California based revenue. Rulemaking from California AG is completed. It is fair to assume $25 Million in total revenue.

Based on your current projections if your annual revenues are likely to exceed $25 Million, then you must have CPRA compliance. My recommendation is to start taking action if your revenues are likely to exceed $20 Million.

Do you have more than 1900 visitors on your website from California in the last 7 days?

This is easy to check.

Login into your Google Analytics
Navigate to Geo -> Location and Click on California
Select last 7 days timeline for the report
Check the number of users when you move your cursor to California
Is this number more than 1900?

does you need CCPA compliance? — Does your company need CPRA compliance? Determine that by the number of users on Google Analytics. If your answer is Yes, then skip this section and **move to step 2**. Start taking action. If you do not use Google Analytics, then check for this with your web marketing team.

Do you have more than 100,000 customers in California? Check your CRM.

If you have access to your CRM system, then login to your CRM system. Create a report that includes contacts, leads, for the past 12 months. Filter this report for California. Get a total count. Does this count exceed 100,000? If the answer is Yes, then skip this section and move to step 2. And, start taking action.

Or alternately check your email marketing system like MailChimp. Do you market and send your newsletter or emails? Do you send emails to 100,000 email addresses that are likely located in California? If the answer is Yes, then start taking action.

Are you are still reading this section?

Are you a software company dealing in data as the new oil? Boy-o-boy. We can send you a pdf version of this blog. Get a cup of coffee. Start taking action.

2. Deploy CPRA privacy request intake on your website

Privacy requests are new. Your business is required to provide this on your website. Either a web form, phone number, email address, or a mailing address. You could do a combination of one or two of these mechanisms. Check out our detailed blog on CPRA/CCPA Privacy Request Management.

No business can estimate the number of requests. Plan for 5-10% of your users to send privacy requests. We stay optimistic and expect a much lower request intake in 2020.

Option 1: Create a web form similar to this and deploy it on your website.

Do you have a WordPress website? Simply deploy a forms plugin – WPForms or Ninja Forms.

Create a form for CPRA/CCPA privacy intake and manage your requests using WordPress. Include basic email verification. Here is an example form:

CPRA/CCPA Compliance Privacy Request Intake Form

Option 2: Sign up to Essert.io

The app is easy to setup. It scales your workflow. Essert provides 13 pre-built email templates. And, it is free to use.

CCPA Compliance: Privacy Requests Management Application

CPRA/CCPA Compliance: Privacy Requests Management – Sign Up It is Free.

Option 3: Sign up to one of several vendors

Several vendors started with GDPR. They also support CPRA/CCPA. While many of them provide free trials, as of this update, none of them provide free intake management software. Essert.io delivers a free app.

Option 4: Review this blog and create your own privacy request management system

Enough said. Need more information on how to manage the intake of privacy requests? Check our blog. Time to move to the next section.

3. CPRA/CCPA Compliance needs categories of data you collect

CCPA (California Consumer Privacy Act) or CPRA (California Privacy Rights Act) provides the requester a right to know categories of data you collect. Reach out to your digital marketing team for any help. List all the categories of data you collect. Let’s get started.

Here is a sample list of categories that you could use:

Internet or network activities
Device-specific information
Commercial information (ex: orders, history, credit card data, etc.)
Identifying information (ex: email, phone, etc.)
Health information
Biometric information
Fitness information
Professional or employment-related information
Educational information
Geolocation information
Audio/Video information
Automotive information
Information users share
Information to process privacy requests

Now create your own list of categories. The next step is to create an email template that includes your list of personal information categories that your business collects. Create an email template with categories of information collection. Why should you create email templates? Here is a sample email template…

Email templates are important to deliver consistent responses to consumers.

Subject:  Privacy Request – Categories of Information Collected 
Message:
Hi {Name},
We received a privacy request from you regarding the categories of personal information we collect. We collect the following categories of information:
 - Internet or network activities
 - Device type information
 - Commercial information (ex: orders, history, credit card data, etc.)
 - Identifying information (ex: email, phone number), and
 - Information to process the privacy requests

Please do not reply to this email. If you need to send another privacy request, please visit this link.

Thank you!
{Company Signature}
CompanyABC Privacy Team
www.CompanyABC.com

You may have to create multiple email templates for each requester type. Each of these templates may differ on categories of information collected.

4. List reasons for collecting data by category

CPRA/CCPA provides the requester a right to know why your business is collecting data. A few businesses collect data to sell as data brokers. Get started. Let’s make it a simple one-time process. You may need help from your digital marketing team. Here is a simple list of all the reasons for collecting data. Get started.

Please use this list to get started with your own list.

To Enforce Policies, Terms, and Conditions
To Track and Monitor Website Usage
To Analyze Website Visitor Behavior
To Improve Website Performance
To Improve Visitor Engagement
To Service Customers
To Provide Sales and Support
To Answer Questions or Address Requests
To Evaluate Suitable Candidates for Jobs
To Create User Accounts
To Communicate Marketing and Sales Promotions
To Communicate Company Policy Information
To Fill and Manage Sales Orders and Support Requests
To Write Testimonials
To Deliver Advertisements
To Get Customer Feedback
To Share Data With Data Brokers
To Aid in Research
To Aid in Behavioral Analysis
To Process Privacy Requests

Create an email template to communicate with the requester

Here is an example. You may have to create multiple email templates.

Subject: Privacy Request - Collection Purpose
Message:
Hi {Name},
We received a privacy request from you regarding the purpose of collecting personal information. Our purpose of collecting your personal information is as follows:
 - To Communicate Marketing and Sales Promotions
 - To Communicate Company Policy Information
 - To Fill and Manage Sales Orders and Support Requests
 - To Write Testimonials
 - To Deliver Advertisements
 - To Get Customer Feedback
 - To Enforce Policies, Terms, and Conditions
 - To Share Data with Data Brokers

Please do not reply to this email. If you need to send another privacy request, please visit this link.

Thank you!
{Company Signature}
CompanyABC Privacy Team
www.CompanyABC.com

5. List all sources of data collection

CPRA/CCPA provides the requester a right to know sources of data you collect. Reach out to your digital marketing team and list all data sources. Let’s get started.

This is a sample list to get started.

Laptops and Desktops
Websites
Desktop Apps
Web Apps
Mobile Apps
Shopping Carts
Phone Calls
Fitness Devices
Mobile Devices
Video Streaming Devices
Medical Devices
Smart Speakers
Smart Toys
Security Cameras
Wifi Routers
Automotive Sensors
Smart Sensors & Scanners
Tablets
Data Services
3^rd Party Data Brokers
Social Media Platforms
Advertising Platforms

Create an email template

Use this example email template.

Subject: Privacy Request - Soruces of information collection
Message:
Hi {Name},
We received a privacy request from you regarding the sources of collecting personal information. Our sources of collecting your personal information are as follows:
 - Laptops and desktops
 - Websites
 - Desktop apps
 - Web Apps
 - Shopping cart
 - Phone calls

Please do not reply to this email. If you need to send another privacy request, please visit this link.

Thank you!
{Company Signature}
CompanyABC Privacy Team
www.CompanyABC.com

6. Scan your website and list all the cookies used

Do you have cookies on your website? Nearly all those cookies collect personal information. CPRA/CCPA compliance requires you to know all your cookies. Why?

Provide a detailed notice of data collection
Service Opt-Out, privacy request
Service Delete My Personal Information, privacy request
Provide personal information stored in these cookies

Note: CPRA/CCPA does not require you to create an opt-in for cookie tracker similar to GDPR. COPPA and opt-in apply for children.

With the cookie list, you can start an inventory to map the data. Use one of these free tools to know your cookie data stores. Discover all your cookies your website is generating. Scanners generate reports to identify and classify cookies discovered in this process. Next step click one of these tools and get a detailed report.

You may create your own cookie scanner using this open source project.

Read more about CCPA cookie consent management here.

7. List all Cloud and internal apps that store personal information

Data mapping is a secret ingredient to achieve CPRA/CCPA compliance. CPRA/CCPA compliance requires:

Where you store data (personal information)
How you process this data
Who you share this data

Step 1 kicks off your data mapping process for the purpose of CPRA/CCPA compliance. From the previous sections you have the list of cookies on your website. Use this table to document where your cookie data is stored. Nearly all cookies capture personal information.

Cookie Name	Where Stored	Name of Admin	3^rd Party (Y/N)
Google Analytics	Analytics.Google.com	John Doe	Y
Automattic Inc.	WordPress.com	Jane Doe	Y
comScore Inc.	ComScore.com	John Doe	Y
Fusio	S4m.io	Jane Doe	Y

To get all these template and the entire blog as a word document CONTACT US.

Next up, list all cloud applications your business uses. The following table helps you document all your cloud applications.

Cloud App Name	Name of Admin	Personal Information?
Salesforce.com	John Doe	Y
WorkDay.com	Jane Doe	Y
Office365.com	John Doe	Y
DropBox.com	Jane Doe	Unsure
Slack.com	John Doe	Unsure

Your business has many internal applications. These may be developed internally or 3^rd party licensed software. These may be in your own data center or in your private cloud instance. The following table helps you document your internal applications.

Internal App Name	Name of Admin	Personal Information?	3^rd Party?
Microsoft Exchange	John Doe	Y	Y
Quicken	Jane Doe	Y	Y
Kronos	John Doe	Y	Y
WordPress	Jane Doe	Unsure	N
InventoryMS	John Doe	Unsure	N
CoupaSoftware	John Doe	Y	Y

All done? Hooray!! For CPRA/CCPA compliance listing the apps is yet another critical step, and that helps with data mapping.

List all stores of personal information
Data discovery
Starting point to address privacy requests for data, delete data, etc.
Review 3^rd party vendor agreements (see below)

8. Review privacy clauses in your service provider or partner agreements

Why? CPRA or CCPA holds you responsible for all the personal information you store. It does not matter where and which 3^rd party touches your personal information. For CPRA or CCPA compliance it is now necessary to enforce 3^rd party compliance. Third-party CPRA/CCPA compliance implies answer to the following simple questions:

List all stores of data we share with you
How do you encrypt personal information or anonymize it?
Do you have a process to detect and communicate data breaches?
Do you have tools to identify, monitor, and delete personal information?

This may look like a lot of work with each 3^rd party. Doing this will ensure protection from liability.

Can one single step solve this?

Yes. Execute an amendment to your current agreement with each of the 3^rd parties. Include the following clause in such your amendment. (Please consult your attorney.)

Covenant to SafeGuard Digital Information and CPRA or CCPA compliance.

(a) Covenant. Company (3^rd party vendor) and any affiliate of the Company each covenant to safeguard of Personal Information (as defined in CPRA or CCPA California Consumer Privacy Act – AB 375 or its updated California Privacy Rights Act), and to institute a procedure, practice, or technology that safeguards Digital Information, from any digital means (not limiting to personal, network, or cloud means) used by the Company, any subsidiary, any affiliate, or any employee of the Company.

(b) Data breach or attempt to steal by a person(s) or machines or bot(s). This covenant shall include data breach prevention from any or all thefts or attempts to steal by a person(s), machine(s), bot(s), or a combination thereof.

(c) Report data breaches, attempts. The Company shall provide a periodic report(s), no longer than each six (6) months of the data breach incident, or an attempt to steal any or all Digital Information. The incident report of a data breach or attempt to steal such Digital Information shall at the minimum, include data and time of the incident, the location of the incident, details of specific Digital Information involved in the incident, the person(s) or bot(s) responsible for the incident, among other information related to the incident. At the discretion of the Company, any data breach or attempt to steal highly confidential information shall be reported immediately.

(d) Privacy APIs and CCPA Compliance. The Company shall institute a procedure, practice, or technology that addresses privacy requests. These include but are not limited to access to all personal information (a minimum of two times a year), acknowledgment to delete specific personal information, acknowledgment to stop sale (or license) of specific personal information to other 3^rd parties.

Execute this amendment with each of your 3^rd parties for CPRA or CCPA compliance.

9. Review privacy clauses in your customer agreements

Uh!! What? Why should we amend our agreements with our customers?

This is specifically important for software vendors or (digital) marketing companies. Your customers need to be ready for CCPA compliance. And they are seeking answers to these questions:

Where do you store personal information?
How do you encrypt personal information or anonymize it?
Do you have a process to detect and communicate data breaches?
Do you have APIs to identify, and delete personal information?

Be proactive.

How? Execute an amendment to your current agreement(s) with each of your customers. Include the following clause in such your amendment. (Please consult your attorney.)

Covenant to SafeGuard Digital Information and CCPA compliance.

(a) Covenant. Company (“Your Company”) and any affiliate of the Company each covenant to safeguard of Personal Information (as defined in CCPA California Consumer Privacy Act – AB 375), and to institute a procedure, practice, or technology that safeguards Digital Information, from any digital means (not limiting to personal, network, or cloud means) used by the Company, any subsidiary, any affiliate, or any employee of the Company.

(d) Privacy APIs and CPRA / CCPA Compliance. The Company shall institute a procedure, practice, or technology that addresses privacy requests. These include but not limited to access to all personal information (a minimum of two times a year), acknowledgement to delete specific personal information, acknowledgement to stop sale (or license) of specific personal information to other 3^rd parties.

Execute this amendment with each of your customers for CPRA / CCPA compliance. You will have an enhanced strategic relationship with your customers. The following sections detail out steps your business needs to do to address these. The result is CPRA / CCPA compliance and avoiding both civil suits and regulatory penalties.

10. Review the privacy policy on your website

Your website or mobile app privacy policy review for CPRA / CCPA must include the following:

Information collect on your website
Information on cookies that collect information
Usage of information collected on your website
Category of 3^rd parties used to collection information
Do you share information collected with other 3^rd parties?
How you store, and safeguard the data

Of course, contact your attorney. Also, several web services generate privacy policies relevant to you. Please review these services:

While most of the above are for GDPR, you could modify these for CCPA. The key element in reviewing your privacy policies is to ensure that you have two versions of the privacy policy

Legal version, and
Simple version in plain English

All done? The next step is to send notices with your updated privacy policy.

11. Send notices to partners with the updated privacy policy

Why? We just amended agreements with partners to include – ‘Covenant to Safe Guard Digital Information and CCPA compliance’. What is this new privacy poloicy update notice? A notice should be sent in two forms:

A letter
An email

Create a notification letter, and use the same content in your email as well. Ensure consistency in both the notices. Provide URL links to both the simple version and the legal version.

Step 1: Get a list of addresses (both postal addresses and email addresses)

Step 2: Send out the postal letter typically address to the legal counsel or the President of the company

Step 3: Send out an email (use mail merge)

12. Send notices to customers with the updated privacy policy

Now that you sent out notices to all your partners it is time to repeat this process with your customers. It is likely that you have more than a few thousand customers.

For a large number of customers, it is indeed expensive to send letter notification. Each letter notification is likely to cost you anywhere in the range of $2.00 to $0.50. This could get expensive fairly quickly.

We recommend that you start only with email notification for customers. Please have a way to track number of opens. Send weekly notifications only to those who have not opened the email. Repeat these weekly notification till you reach atleast 30-50% opens. This would likely take about 10-15 weeks. Ensure that you keep a record of this process.

13. Vendor risk assessment

Let’s review step 8 above. In step 8, you created CCPA compliance amendment for execution by each vendor. It is likely that you are able to get 80% of your vendors to sign this amendment. However, this is not enough. There is still a risk of penalties or class-action law suits. It is an operational risk.

The vendor has likely executed the amendment. Is there a way to check their CCPA compliance? This is the tough part. So, you need vendor risk assessment. There are two areas of vendor risk assessment for CCPA.

Area 1: Vendor security risk assessment. How vulnerable is the vendor for data breaches? Making this assessment on a vendor is a difficult operational problem.

Area 2: Vendor privacy request compliance assessment. How well does the vendor comply with the request for personal information? How well does the vendor comply with the request for deletion of data? How well does the vendor comply with the request to not sell personal information?

Several companies offer services to make a 3^rd party vendor security assessment for GDPR compliance. The market is still evolving. The following resources provide vendor risk assessment for GDPR compliance. This could be easily extended to CCPA compliance.

This step is unlikely to be fully automated. Get started and you could make improvements over time.

14. Privacy APIs to access data for Privacy Requests

What are privacy APIs? Privacy APIs is an API framework to address privacy requests. Privacy APIs are new. They are often untested. Three types of privacy requests require privacy APIs. These requests require personal information of the requester:

Request to access all my personal (requester’s) information
Request to delete all my personal (requester’s) information
Request to not sell my personal (requester’s) information

Privacy APIs enable easy and automated access to data in cloud applications. This framework could easily be extended to your business’ own data. (For more information on how to get started with Privacy APIs, please contact us.)

Now you got through 14 steps. It is time to address security

Security is not equal to privacy; and privacy or CCPA compliance does not equal security. Security is one part of privacy.

One key area of CCPA compliance is preventing data breaches. CCPA or AB 375 states

“Any consumer whose nonencrypted or nonredacted personal information … is subject to unauthorized access, theft, or disclosure … result of the business’ violation of the duty to implement and maintain adequate and reasonable security procedures and practices … may institute a civil action…. recover damages in an amount not less than one hundred dollars ($100) and not greater than seven hundred and fifty ($750) per consumer per incident or actual damages, whichever is greater…” There are several security procedures and practices. DLP, data loss prevention, is a key tool. Data Loss Prevention includes end point protection and network protection.
California Consumer Privacy Act – AB 375

15. Prevent data breaches from your endpoints

Why do you need endpoint Data Loss Prevention ? As part of CPRA / CCPA compliance, you need to maintain adequate security to prevent loss or theft of personal information. End points – desktops, laptops, and mobile devices, are vulnerable for data theft or exfiltration. End point DLP provides reasonable security to prevent such data breach.

Do you deploy anti-virus protection on all your end points? End point Data Loss Prevention is similar in deployment. Here is a sample list of vendors that provide end point DLP.

Contact us to deploy end point DLP for CCPA compliance.

16. Prevent data breaches from within your network

Have you secured the endpoints? Awesome. It is time to pay attention to rest of your network. Your business needs the ability to proxy, classify, and prevent any unauthorized exfiltration. Benefits of network Data Loss Prevention include:

Control traffic on email, HTTP(S), (s)FTP, webmail, web apps, and more
Control clear as well as SSL based applications
Enforce policies
Reduce false positive
Prevent insider threats as well as threats from bots
Provide forensics where required

Here is a small list of network Data Loss Prevention solutions:

Deploying one of these above solutions implies CPRA / CCPA compliance. You will also have the ability to fend off any civil suits resulting from potential data breaches.

17. Office 365 DLP to prevents breaches from O365

Office 365 is one of the most widely used applications. Deploying endpoint DLP and network DLP is not sufficient to prevent exfiltration from Office 365.

Why? Because, Office 365 is a cloud application and can be accessed using uncontrolled endpoints. @ $2 per user per month, this is an easy deployment and can be completed in less than a week. Depending on your budget you may just deploy Office 365 DLP and phase in endpoint DLP and network DLP.