Professional Documents
Culture Documents
IAPP CCPA 5 Action Items Whitepaper
IAPP CCPA 5 Action Items Whitepaper
E
ffective Jan. 1, 2020, the California • It annually buys, receives for the
Consumer Privacy Act creates new business’s commercial purposes, sells
protections for the personal data of or shares for commercial purposes
California residents and new requirements the personal information of 50,000
for the businesses that process it. To comply or more consumers, households or
with the CCPA, some critical action is devices.
needed now.
• It derives 50% or more of its annual
Here are five concrete action items privacy revenues from selling consumers’
professionals can tackle and considerations personal information.
that underpin each step.
Your organization is “selling”
1.) Determine who you are personal data under the CCPA if it is
“communicating … a consumer’s personal
under the CCPA information to another business or a
third party for monetary or other valuable
As a starter, you should determine consideration” … unless it is sharing it
whether and how the CCPA applies to your with a “service provider” and has provided
organization. Is your organization a covered notice in its terms and conditions that
business? If so, is it “selling” personal data? personal information is being shared (or
Is it or are your vendors service providers or a listed exemption applies). Notice that
third parties? Might your organization be under the CCPA, the term “sell” is defined
multiple of these at once? broadly to include many actions that your
business may not have regarded as sales. For
Your organization is a covered business if example, placement of a third-party cookie
it is a for-profit entity that does business in on your website to enable advertising
California, collects the personal information could fall within scope. Allowing vendors to
of California residents, determines the analyze data for their own purposes might
purposes and means of processing that also be considered a sale. Moreover, the
information, and at least one of the CCPA definition of personal information is
following applies. broad — even broader than that under the
EU General Data Protection Regulation —
• It has annual gross revenues in excess and includes cookies, a device identifier,
of $25 million. pixel tags, customer number, information
linked to a household and more.