Using the Nymity CCPA Accountability Handbook to Operationalize Compliance
We are pleased to announce the release of a new Nymity Handbook, a comprehensive compliance guide to the California Consumer Privacy Act (CCPA). The CCPA was passed by the California State Legislature on June 28, 2018 and signed into law the same day. On August 31 the Legislature passed SB-1121, the first round of expected amendments. SB-1121 delays enforcement of the CCPA and makes other modest amendments, mostly technical in nature. While further amendments are expected, the provisions of the law will become operative on January 1, 2020.
For US companies, this law is a compelling reason to invest in operationalizing privacy management throughout the organization. Given the new individual rights within the law (right to request information, right of deletion, right to opt-out, and obligations to inform), along with a private right of action, the risk of non-compliance is significant.
The purpose of this free Handbook is to help privacy offices operationalize their compliance obligations under the CCPA. It is also intended to help multi-jurisdictional organizations leverage their GDPR compliance initiatives to support CCPA compliance.
The CCPA Handbook is organized into five parts:
CCPA Accountability Annotations and Operational Guide
Nymity Research has analyzed the law and identified nine provisions that require the implementation of a policy, procedure, mechanism or other type of technical and organizational measure in order to demonstrate compliance.
Part 1 is divided into four sections to assist your organization in understanding the law and taking measures to comply:
Annotations explaining the meaning and impact of the Articles.
Privacy Management Activities (Technical and Organizational Measures):
A list of privacy management activities that, once implemented, may help your organization achieve ongoing compliance with the CCPA and produce documentation that will help demonstrate compliance.
Example Accountability Mechanisms:
A list of possible policies, procedures, guidelines, checklists, training and awareness activities, transparency measures, technical safeguards, and other mechanisms that may mitigate internal and external privacy risk.
A list of sample evidence indicating that the accountability mechanisms have been implemented and used appropriately.
Nymity’s Privacy Management Accountability Framework™ Mapped to the GDPR and CCPA
This section identifies the specific Articles of the GDPR, as well as the provisions of the CCPA that require evidence of a privacy management activity (technical or organizational measure), mapped to the Framework. This will help you streamline and prioritize your privacy compliance initiatives.
An Accountability Approach to Demonstrating Compliance with the CCPA
This section discusses how an accountability approach helps organizations implement and maintain appropriate privacy management activities that create a capacity to comply over time, as well as produce documentation that provides evidence of compliance.
The Full Text of the California Consumer Privacy Act of 2018
CCPA Compliance – How Nymity Solutions Help
All-in-all, seven out of the nine privacy management activities that are considered to be relevant to demonstrating CCPA compliance are also relevant under the GDPR, and are thus likely to already be part of your privacy program. A good example is the right to information, which is included in both laws. To comply with the laws, you will need to have a privacy notice in place, explaining how your organization deals with personal data protection, what safeguards are in place, how individuals can exercise their rights, your purposes for data collection, which categories of data are collected, and more.
For the CCPA, specifically, you will need to include a paragraph dealing with the sale of personal data to third parties, including which categories of companies you would be selling data to.
Another example is right of access. For right of access you will need to take into account different time lines for disclosing and delivering the required information to the data subject: one month under the GDPR and 45 days under the CCPA. The CCPA Handbook identifies the divergences between the two laws in more provisions. It also shows where the core requirements are the same, meaning a lot of the work done for the GDPR can easily be extended or re-used.
More detail on the mapping of the CCPA to the Nymity Privacy Management Framework™ can be found in the Nymity CCPA Accountability Handbook, together with a comparative table between the CCPA and the GDPR. The Handbook is available as a free download on our website and available in hardcopy at privacy conferences around the world.