Requirement violations include penalty thresholds that may expose large California-based businesses to substantial risk. Both organizations with existing privacy capabilities, such as those developed for General Data Protection Regulation (GDPR) compliance, and those without any previous preparation may need the entire grace period before the deadline to deploy necessary capabilities. Our road map illustrates how companies can achieve CCPA readiness by 2020.
Companies serving or employing California residents may find these five CCPA requirements have the biggest impact on their business plans:
1. Data inventory and mapping of in-scope personal data and instances of “selling” data
2. New individual rights to data access and erasure
3. New individual right to opt-out of data selling
4. Updating service-level agreements with third-party data processors
5. Remediation of information security gaps and system vulnerabilities
The CCPA is the beginning of “America’s GDPR.” Similar to the GDPR, the CCPA will require organizations to focus on user data and provide transparency in how they’re collecting, sharing, and using such data. But to what extent can a company extend its GDPR capabilities into its California operations to prepare for CCPA? Certain CCPA requirements overlap with the existing GDPR individual rights requirements, which may give GDPR-ready organizations a jump start on building a capability around user-data handling practices. Still, several policies, processes, and systems will still need updating to address differences between the two laws.
CCPA is the first state privacy law of its kind, and it may be just the beginning, as the future of domestic privacy legislation in the United States is just starting to unfold with this new law. With a deep bench of privacy professionals seasoned by this year's GDPR deadline, PwC can help your organization approach CCPA compliance, including operational and structural impacts. We'll also help you understand future US privacy legislation and regulations if and when they are instituted.