The California Consumer Privacy Act (CCPA) was enacted in 2018 and takes effect on January 1, 2020. These broad privacy requirements are entirely new to the U.S. and the clock is ticking!

Consider this the intro to ‘America’s GDPR’

This landmark piece of legislation secures new privacy rights for California consumers. On October 10, 2019,
Attorney General Xavier Becerra released draft regulations under the CCPA for public comment. CCPA will require organizations to focus on user data and provide transparency in how they’re collecting, sharing and using such data.

SSO | Gap Analysis - Security Assessment

SSO’s CCPA Gap Analysis - Security Assessment assess your company’s current level of compliance in alignment with the CIS 20 Critical Security controls to help identify and prioritize the key areas that your company must address to approve your security and bring your organization into compliance.

SSO Gap Analysis Deliverables:

• 3 Level report with findings (Executive Summary, Find It Fix It details, Assessment Data)

• Remediation Recommendations

• Detailed Gap Analysis Breakdown by each of the 20 controls

Choosing the right team:

• SSO has an in-depth understanding of the CCPA requirements and how they apply to your business.

• We provide ongoing support to maintain your compliance standing while improving security.

• Our detailed proposals are fixed price, so you won’t get any unexpected surprises.

• And a dedicated project lead throughout the project and ongoing support.

Your SSO Project Lead will guide you through the assessment process from beginning to end helping you and your team to understand how your company’s management of Privacy and Data protection can allign with the CCPA’s regulations.

Understanding:

• Governance 

• Risk management  

• Information security responsibility  

• Roles and responsibilities  

• Scope of compliance 

• Process analysis    

• Rights of consumers 

Companies serving or employing California residents may find these five CCPA requirements have the biggest impact on their business plans:

1. Data inventory and mapping of in-scope personal data and instances of “selling” data

2. New individual rights to data access and erasure

3. New individual right to opt-out of data selling

4. Updating service-level agreements with third-party data processors

5. Remediation of information security gaps and system vulnerabilities

The California Consumer Privacy Act (CCPA), enacted in 2018, creates new consumer rights relating to the access to, deletion of, and sharing of personal information that is collected by businesses.

Call 858-848-5776 to get a quote and schedule your assessment.

Detail Information Below:

The CCPA grants new rights to California consumers

• The right to know what personal information is collected, used, shared or sold, both as to the
categories and specific pieces of personal information;
• The right to delete personal information held by businesses and by extension, a business’s service
provider;
• The right to opt-out of sale of personal information. Consumers are able to direct a business that sells
personal information to stop selling that information. Children under the age of 16 must provide opt in
consent, with a parent or guardian consenting for children under 13.
• The right to non-discrimination in terms of price or service when a consumer exercises a privacy right
under CCPA.

The CCPA applies to certain businesses

• Businesses are subject to the CCPA if one or more of the following are true:

• Has gross annual revenues in excess of $25 million;

• Buys, receives, or sells the personal information of 50,000 or more consumers, households, or
  devices;

• Derives 50 percent or more of annual revenues from selling consumers’ personal information.

• As proposed by the draft regulations, businesses that handle the personal information of more than 4
million consumers will have additional obligations.

The CCPA imposes new business obligations

• Businesses subject to the CCPA must provide notice to consumers at or before data collection.
• Businesses must create procedures to respond to requests from consumers to opt-out, know, and
delete.

• For requests to opt-out, businesses must provide a “Do Not Sell My Info” link on their website
  or mobile app.

• Businesses must respond to requests from consumers to know, delete, and opt-out within specific
time frames.

• As proposed by the draft regulations, businesses must treat user-enabled privacy settings that
  signal a consumer’s choice to opt-out as a validly submitted opt-out request.

• Businesses must verify the identity of consumers who make requests to know and to delete, whether
or not the consumer maintains a password-protected account with the business.

• As proposed by the draft regulations, if a business is unable to verify a request, it may deny the
  request, but must comply to the greatest extent it can. For example, it must treat a request to
  delete as a request to opt-out.

• As proposed by the draft regulations, businesses must disclose financial incentives offered in exchange
for the retention or sale of a consumer’s personal information and explain how they calculate the value
of the personal information. Businesses must also explain how the incentive is permitted under the
CCPA.
• As proposed by the draft regulations, businesses must maintain records of requests and how they
responded for 24 months in order to demonstrate their compliance.

• In addition, businesses that collect, buy, or sell the personal information of more than 4 million
  consumers have additional record-keeping and training obligations.