No Result
View All Result
SUBSCRIBE | NO FEES, NO PAYWALLS
MANAGE MY SUBSCRIPTION
NEWSLETTER
Corporate Compliance Insights
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe
No Result
View All Result
Corporate Compliance Insights
Home Data Privacy

CCPA: What Internal Auditors Should Know

Where Audit Can Focus to Ensure Compliance with the California Consumer Privacy Act

by Kevin Alvero and Michael Velasco
January 24, 2020
in Data Privacy, Internal Audit
illustration of businessman studying data on virtual screens

There are similarities between the GDPR and the CCPA, but there are some key departures as well. Nielsen’s Kevin Alvero and Michael Velasco detail the differences internal auditors should be aware of to ensure compliance.

On May 25, 2018, the General Data Protection Regulation (GDPR) was implemented, providing European Union citizens unprecedented protection and privacy regarding organizational use of their personal information. For California businesses and those that serve California residents, the GDPR turned out to be a harbinger of a similar law that went into effect at the onset of the 2020s.

Just more than a month after the GDPR’s implementation, California Governor Jerry Brown signed into legislation the California Consumer Privacy Act of 2018, marking the United States’ initial major data privacy law. On January 1, 2020, the law went into effect. Meanwhile, U.S. organizations and their internal audit teams have been working to understand and prepare for what the regulation means to them. At the most basic level, internal auditors should understand what CCPA is and who it applies to, as well as how they can go about helping their organizations manage risk related to CCPA compliance.

Purpose and Scope

Just as the GDPR was designed to provide protections to all European Union citizens, the CCPA protects California residents’ rights regarding their personal information. These protections include:

  • The right to be informed of all personal information collected by organizations as well as how/where it was collected, how the company intends to use the information and to whom it’s being disclosed/sold (if applicable).
  • The ability to refuse an organization’s ability to sell one’s personal information to third parties via “opt out” options.
  • The right to have collected personal data erased under certain conditions.
  • The right to invoke these new privileges without facing unequal service or unfair pricing from the organization.

According to the legislation’s language, “the overriding goals of the CCPA are to let California consumers know more about the data collected about them, along with putting some of the rights regarding that information back into consumers’ hands.”[1]

Though focused on California residents, the law’s impact will be far reaching. One source estimates it may affect half a million companies across the United States.[2] Companies that do business in California and meet one of the following criteria will be affected:

  • Has annual gross revenues in excess of $25 million;
  • Buys or sells the personal information of 50,000 or more consumers or households; or
  • Earns more than half of its annual revenue from selling consumers’ personal information.[3]

While it may be tempting to regard CCPA as simply an American version of GDPR, it is important for internal auditors to understand that the two are not exactly the same. One of the most important differences is in the CCPA’s broader definition of personal information. Under the CCPA, information that can be used to identify households and devices (i.e., internet browsing, geolocation, etc.) is considered personal information, in addition to information that can be used to identify people.[4] Another subtle difference is that CCPA focuses almost exclusively on the collection and selling of personal information; unlike GDPR, CCPA has little to do with the processing of that information.[5] Because of these and other differences, it is important for internal auditors to understand that even if their company is GDPR compliant, that does not mean the company will automatically be compliant with CCPA.

Impacts

Enforcement of the law comes in a phased approach. Beginning July 1, 2020, under the jurisdiction of California’s attorney general, individual rights violations could result in a maximum penalty of $7,500 – expected to be rendered for intentional violators. (Those organizations deemed to be in failure of compliance but without intent face $2,500 fines.) However, potentially of greatest concern to organizations is that companies that become victims of data theft or other data security breaches can be ordered in civil class action lawsuits to pay statutory damages between $100 to $750 per California resident and incident, or actual damages, if greater. That part went into effect on January 1.[6]

Managing Compliance Risk

Although GDPR compliance will not satisfy CCPA completely, organizations that have worked toward GDPR compliance should find that many best practices overlap as it relates to CCPA. Both focus on the protection of individuals’ personal information. Second, both focus on increasing transparency regarding this information, especially regarding the collection of this data. Lastly, both define rights for the affected individuals, such as in cases where business failure results in data breaches.

As such, internal auditors should focus their attention on several key areas when looking at CCPA compliance:

Leadership & Accountability

It is critical that the organization have a person who owns the responsibility for CCPA compliance and that that person has the expertise, authority and resources to take the steps needed to ensure compliance. In addition, a cross-functional team (legal, HR, IT, communications, etc.) should be assembled to lead the compliance effort.

Disclosures/Consent

Disclosures related to how personal information is collected and how it may be sold are central to CCPA compliance, as are consent-based functions such as those that allow individuals to withhold consent for companies to sell their data (i.e., opt out).

Internal audit should be helping the organization ensure that all necessary disclosures and consent needed for CCPA compliance are created and/or updated. Additionally, ongoing monitoring (continuous and/or sample-based) should be done to ensure that disclosure and consent mechanisms are functioning properly at the point of collection and that disclosure/consent information remains with the data as it flows through the organization.

Policies

Similarly, policies affected by CCPA, such as the organization’s privacy policy and data retention policy, should be updated to reflect CCPA, and where applicable, these policies should be made available to the appropriate parties. In the context of CCPA compliance, internal audit should periodically review relevant policies to ensure that they are current, compliant and accessible.

Additionally, because of the rights provided to individuals to inquire about their personal information, internal audit should assess the organization’s readiness to handle such inquiries through manual and/or automated processes. Trained personnel, an approved communications plan, working communications channels and procedures for documentation are all key elements auditors should be looking for.

Data Governance & Information Security

Protecting consumers’ personal information against unauthorized access is undoubtedly a central aspect of CCPA. However, in the event that a data breach does happen involving personal information, it will be critical for organizations to be able to demonstrate the steps they were taking to protect that information and manage it responsibly. Although the CCPA does not directly impose specific data security requirements, it establishes a right of action for certain data breaches caused by business failure to maintain reasonable and appropriate security practices and procedures.[7]

Again, internal audit should be performing routine procedures to verify that documentation of collected personal information (mapped from collection to share/sale) is thorough and accurate. Internal audit should also verify that a data breach response plan is in place, is current and complies with CCPA requirements.

Additionally, testing should be performed to verify that personal information sold was sold with consent and, conversely, that information for which consent was withheld did not get sold. Also, valid requests for data deletion should be reviewed to determine if they were carried out appropriately.

Third-Party Agreements

CCPA gives consumers the right to request information about how companies share personal information with third parties and to opt out of their information being sold to third parties. It also requires companies to make a good faith effort to place a valuation on personal information. As such, internal auditors will play a key role in making sure that third-party service-level agreements are created/updated to accommodate CCPA compliance.

Conclusion

Going forward, internal audit will be a valuable ally as organizations work to maintain compliance with CCPA. Internal audit procedures that verify the organization’s processes and controls around personal information (i.e., disclosure, consent, documentation, inquiry response, information security, etc.) can provide a crucial early warning if issues are detected. At the same time, internal audit should be helping its organization look ahead to future risk.

CCPA is unlikely to be the last legislation of its kind, and some companies are already operating under the assumption that they will be extending CCPA-type protections to consumers regardless of their state of residence.[8] Therefore, scanning for emerging risks and leveraging lessons learned through GDPR and CCPA represent opportunities for internal audit to showcase its ability to provide strategic value in addition to critical verification and quality assurance.

 


[1] California Consumer Privacy Act: Everything You Need to Know About CCPA, the New California Data Privacy Law. (2019, October 30). Fair Warning.

[2] Ibid

[3] Wikipedia. “California Consumer Privacy Act.”

[4] Ibid

[5] PwC. “Your readiness roadmap for the California Consumer Privacy Act (CCPA).”

[6] Ibid

[7] Compert, C. (2019, April 5). Preparing for the CCPA: Leverage GDPR Investments to Accelerate Readiness. Security Intelligence.

[8] PwC. “What you don’t know about the California Consumer Privacy Act.”


Tags: California Consumer Privacy Act (CCPA)
Previous Post

FTI Consulting’s Resilience Barometer 2020

Next Post

Hammer, Screwdriver, Wrench, Tape Measure – Your Compliance Toolbox

Kevin Alvero and Michael Velasco

Kevin Alvero and Michael Velasco

Kevin M. Alvero, CISA, CFE, is Senior Vice President, Internal Audit, Compliance and Governance at Nielsen. Kevin leads the internal quality audit program for Nielsen Global Media, as well as its industry standards compliance initiatives, including the external accreditation process. Kevin began his career with Nielsen in 2003 and has been leading the Internal Audit department since 2010. In addition to his audit expertise, Kevin possesses more than a decade of experience with traditional audience measurement and digital ad measurement. Kevin is a Certified Fraud Examiner (CFE) and Certified Information Systems Auditor (CISA). He is also a member of the Board of Governors for the Institute of Internal Auditors (IIA) Florida West Coast chapter.
Michael Velasco is a Director in the Nielsen Internal Audit department with nearly a decade of experience in the measurement and technology industry. Since joining Nielsen, Michael has conducted and supported internal and external audits for various Nielsen product releases. Previously, Michael worked at a manager level with the advisory media and entertainment practice of EY, providing attest and advisory services to companies conducting media research in the U.S. on behalf of the industry’s regulatory body. Michael is a Certified Information Systems Auditor (CISA). He has a B.S. in accounting from the University of Florida and holds a master’s degree in Information Systems and Operations Management.

Related Posts

minidata_b

Honey, I Shrunk the Data: How to Keep Customer Info on a Need-to-Know Basis

by Parker Poe
November 30, 2022

It may be tempting to hoard the data you have gathered on your customers, but an increasing number of regulations...

cpo and ciso

Allies in Privacy, Security & Compliance: Why Closer Collaboration Between CPOs and CISOs Benefits Everyone

by Maria D'Avanzo
September 28, 2022

As a former chief privacy officer (CPO) of a publicly traded commercial real estate services firm, Maria D’Avanzo worked in...

snooping on private data

Survey: Leaders Claim to Be Ready for State Privacy Laws; Few Actually Are.

by Staff and Wire Reports
June 29, 2022

With state laws looming, where do companies actually stand today? A Womble Bond Dickinson survey examined current corporate preparedness along...

Vector of a cybersecurity worker monitoring servers.

Cybersecurity in 2022: More Acceleration, More Sophistication

by Mathieu Gorge
January 19, 2022

In 2022, nations and organizations around the world will continue working to protect customer data against hackers and accidental breaches....

Next Post
hand tools in wooden toolbox

Hammer, Screwdriver, Wrench, Tape Measure – Your Compliance Toolbox

Compliance Job Interview Q&A

Jump to a Topic

AML Anti-Bribery Anti-Corruption Artificial Intelligence (AI) Automation Banking Board of Directors Board Risk Oversight Business Continuity Planning California Consumer Privacy Act (CCPA) Code of Conduct Communications Management Corporate Culture COVID-19 Cryptocurrency Culture of Ethics Cybercrime Cyber Risk Data Analytics Data Breach Data Governance DOJ Download Due Diligence Enterprise Risk Management (ERM) ESG FCPA Enforcement Actions Financial Crime Financial Crimes Enforcement Network (FinCEN) GDPR HIPAA Know Your Customer (KYC) Machine Learning Monitoring RegTech Reputation Risk Risk Assessment SEC Social Media Risk Supply Chain Technology Third Party Risk Management Tone at the Top Training Whistleblowing
No Result
View All Result

Privacy Policy

Founded in 2010, CCI is the web’s premier global independent news source for compliance, ethics, risk and information security. 

Got a news tip? Get in touch. Want a weekly round-up in your inbox? Sign up for free. No subscription fees, no paywalls. 

Follow Us

Browse Topics:

  • CCI Press
  • Compliance
  • Compliance Podcasts
  • Cybersecurity
  • Data Privacy
  • eBooks Published by CCI
  • Ethics
  • FCPA
  • Featured
  • Financial Services
  • Fraud
  • Governance
  • GRC Vendor News
  • HR Compliance
  • Internal Audit
  • Leadership and Career
  • On Demand Webinars
  • Opinion
  • Resource Library
  • Risk
  • Uncategorized
  • Videos
  • Webinars
  • Well-Being
  • Whitepapers

© 2022 Corporate Compliance Insights

No Result
View All Result
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe

© 2022 Corporate Compliance Insights

Welcome to CCI. This site uses cookies. Please click OK to accept. Privacy Policy
Cookie settingsACCEPT
Manage consent

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
CookieDurationDescription
cookielawinfo-checbox-analytics11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional11 monthsThe cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy11 monthsThe cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
Functional
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Performance
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Analytics
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Advertisement
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
Others
Other uncategorized cookies are those that are being analyzed and have not been classified into a category as yet.
SAVE & ACCEPT