Thursday, February 25, 2021
Corporate Compliance Insights
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Articles
    • See All Articles
    • NEW: COVID-Related
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Leadership and Career
  • Vendor News
  • Jobs
    • Compliance & Risk
    • Information Security
  • Events
    • Webinars & Events
    • Submit an Event
  • Downloads
    • eBooks
    • Whitepapers
  • Podcasts
  • Videos
  • Subscribe
No Result
View All Result
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Articles
    • See All Articles
    • NEW: COVID-Related
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Leadership and Career
  • Vendor News
  • Jobs
    • Compliance & Risk
    • Information Security
  • Events
    • Webinars & Events
    • Submit an Event
  • Downloads
    • eBooks
    • Whitepapers
  • Podcasts
  • Videos
  • Subscribe
No Result
View All Result
Corporate Compliance Insights
Home Data Privacy

Look Behind You – Now!

The CCPA "Look Back" Requirement

by Bill Tolson
February 13, 2019
in Data Privacy
traffic seen through car's side mirror

A provision in the upcoming California Consumer Privacy Act (CCPA) will make the regulation retroactive once it goes into effect… meaning it’s effective now. Bill Tolson of Archive360 discusses what organizations can do now to move toward CCPA compliance.

The California Consumer privacy Act (CCPA) was passed last year (2018) with an effective date of January 1, 2020 – assuming no federal actions (check out the blog titled “Will the New California Consumer Privacy Act Stand?” for potential federal actions).

Who does the CCPA affect?

Simply put, the CCPA protects all California residents whether they are consumers, employees or business contacts. In hindsight, with the passage of the EU’s GDPR privacy regulation, many organizations didn’t think they needed to worry about it until much closer to the effective date of May 25, 2018. In fact, there are still many companies that aren’t in compliance. This wait-and-see strategy turned out to be a risky strategy for many companies because they didn’t fully understand the implementation complexities involved. They were not considering the potential startup costs, implementation turnaround times and the new processes needed to put it in place. Implementation readiness for the CCPA has already put many companies in an untenable position; they may already have dug themselves a hole it will be difficult to climb out of.

Most companies aren’t yet aware of the fact that their responsibilities for CCPA readiness begin well before the planned January 2020 implementation date. I am speaking of the “look back” requirement.

The look back requirement of the law allows California citizens to ask for their information on January 1, 2020 – for the previous 12 months. Companies should be able to find and report on what consumer data exists, how it’s being used and if it’s been sold to third parties. Also, the consumer can demand its disposal if the company is not required to keep it for regulatory or legal reasons. Ideally, beginning on January 1, 2019 (already past) companies should already have been capturing and managing consumer data in such a way as to ensure it can be found, culled and deleted quickly if needed. The current requirement is a business must respond to a consumer’s verified request for information within 45 days (subject to extension under limited circumstances). Many companies will not be able to fully respond correctly, raising the possibility of fines.

What does this mean for my company?

Companies that have not begun CCPA planning and implementation should take this risk to heart and get started immediately. The following topics should be addressed in your CCPA planning:

  1. Records/information management: Are you managing ALL data that contains California residents’ personally identifiable information (PII)? A best practice is to consolidate all PII (not just Californians’) into a single repository to make searching faster/easier and to ensure no copies are floating around, which would violate the CCPA if not deleted when asked. Ensure your systems are set up to index and search for PII based on residency.
  2. Create a CCPA team for fast/complete response: The time frame to react to a PII request is limited, so having a tested process in place will greatly reduce noncompliance liability.
  3. Data deletion: How PII is deleted from your systems is important. Simply hitting the delete button is not a true deletion – meaning unrecoverable. Companies should install deletion technology that ensures PII is completely unrecoverable, otherwise it could be considered still available and in violation of the CCPA.
  4. Data encryption: The best insurance policy against both GDPR and CCPA noncompliance is utilizing encryption/anonymization with all PII. Many privacy laws, including the GDPR and CCPA take the position that if PII is encrypted and the encryption keys were not stolen/hacked, then even if the data was accessed, it could not have been usable and therefore not in violation if data is inappropriately accessed.

We’ll Take Our Chances

Some CIOs have the attitude that they don’t need to worry about the CCPA because the chances of a California citizen asking about their PII from a small company in another state is particularly low – a bad idea. The chances may be low, but they’re not zero, and the benefits of CCPA preparation (listed above) actually provide obvious benefits to companies beyond that of CCPA risk reduction, such as better information management.

If your organization has not started yet, you still have time to get your company ready. Working with vendors focused on this area will help to get ahead of these challenges to ensure administrators are ready on January 1, 2020.


Tags: CCPA/California Consumer Privacy ActencryptionGDPRPII
Previous Post

Major New Legal Industry Study Reveals State of AI in Contract Analytics

Next Post

Launched Today: TRACE e-Gov Portal, a Global Directory of e-Government Resources

Bill Tolson

Bill Tolson currently serves as Vice President for Archive360 and is focused on the archiving, migration, governance, regulatory compliance and cloud-based storage of data. Bill has extensive experience in e-discovery and archiving/information governance from both a marketing and customer perspective.

Related Posts

finger breaking digital padlock

SOC 2 Compliance: Why You Should Care

February 19, 2021
side view of earth with network concept

A Boom in Privacy Regs Complicates Compliance

February 10, 2021
hand holding multicolored balloons outside

Happy Data Privacy Day!

January 28, 2021
COVID-19 tracking app showing location and infected people on blue background

Prioritizing Privacy During a Pandemic

January 4, 2021
Next Post
businessman selecting contacts icons

Launched Today: TRACE e-Gov Portal, a Global Directory of e-Government Resources

Access realtime data
Addressing systemic racism in the workplace SAI Global
Dynamic Risk Assessments with Workiva
Top 10 Risk and Compliance Trends

Special Coverage

Special COVID page graphic

Jump to a Topic:

anti-corruption anti-money laundering/AML Artificial Intelligence/A.I. automation banks board of directors board risk oversight bribery CCPA/California Consumer Privacy Act Cloud Compliance communications management Coronavirus/COVID-19 corporate culture crisis management cyber crime cyber risk data analytics data breach data governance decision-making diversity DOJ due diligence fcpa enforcement actions financial crime GDPR GRC HIPAA information security KYC/know your customer machine learning monitoring ransomware regtech reputation risk risk assessment Sanctions SEC social media risk supply chain technology third party risk management tone at the top training whistleblowing
No Result
View All Result

Privacy Policy

Follow Us

  • Facebook
  • Twitter
  • LinkedIn
  • RSS Feed

Category

  • CCI Press
  • Compliance
  • Compliance Podcasts
  • Cybersecurity
  • Data Privacy
  • eBooks
  • Ethics
  • FCPA
  • Featured
  • Financial Services
  • Fraud
  • Governance
  • GRC Vendor News
  • HR Compliance
  • Internal Audit
  • Leadership and Career
  • Opinion
  • Resource Library
  • Risk
  • Uncategorized
  • Videos
  • Webinars
  • Whitepapers

© 2019 Corporate Compliance Insights

No Result
View All Result
  • Home
  • About
  • Articles
  • Vendor News
  • Podcasts
  • Videos
  • Whitepapers
  • eBooks
  • Events
  • Jobs
  • Subscribe

© 2019 Corporate Compliance Insights