CCPA Compliance

What is the California Consumer Privacy Act?

The California Consumer Privacy Act (CCPA) grants consumers rights related to the collection, use and sale of their personal data—and prevents businesses from discriminating against them for exercising those rights. It applies to organizations that do business in California if they meet specific requirements. When the CCPA takes effect on January 1, 2020, businesses must implement and maintain reasonable data security policies and procedures that are appropriate to the nature of the personal information they collect.

Prepare for the CCPA with Informatica

Under the CCPA, consumers have the right to:

Ask about the categories and specific pieces of personal information a business has collected about them
Ask about the purposes for which the business uses that information
Ask the business to delete personal information it has collected about them
Request that their personal data not be sold to third parties

Can your organization answer all of these questions, quickly, accurately, and efficiently?

Informatica data governance and privacy solutions provide a framework designed to help you meet this challenge: to discover what sensitive data you have, where it is located, who can access it, how it’s being used, and how you can best protect it to lower risk while keeping data open for business.

CCPA compliance: Answers to 6 common questions

What’s the difference between GDPR and CCPA?

The CCPA has three main differences:

Right to opt out of data sales: Organizations must tell consumers if their data is being sold, and consumers must be able to opt out of that sale.
Scope of protected data: The CCPA covers data related to a specific individual as well as data related to their household and devices.
Nondiscrimination: People who exercise their data privacy rights cannot be put at a disadvantage because of their choices.

How are leading companies preparing for the CCPA?

Many organizations are starting by conducting risk assessments, including data discovery and identity mapping to find out where personal data resides, who it belongs to, and where data is proliferating. They are updating privacy policies and procedures and implementing automation technologies so they can quickly address customers’ requests to access, view, or delete personal information. They are checking service agreements with partners and other third parties to control data lineage, and applying remediation such as data masking to govern data privacy.

What is personal data under the CCPA?

The CCPA contains a broader definition of personal data than the GDPR. It covers any information that “identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” Your privacy framework must be able to protect information ranging from traditional personally identifiable information to web browsing histories, geolocation data, audio recordings, and more. You must also protect any "inferences" used to create a customer profile.

LEARN MORE

Does the CCPA require opt-out?

Under the CCPA customers must be able to opt out of any selling of their personal data. It also requires prior consent for selling of minors’ data. Properly acting on opt-out rights and consents can build trust assurance within your customer base—and customers are more willing to share data with companies they trust. In this way, consent management becomes a customer experience opportunity, not just a compliance cost.

How can I plan for future regulations?

The effort you put into complying with the GDPR and the CCPA can serve as initial steps toward implementing a global-ready data privacy governance framework for an enterprise-wide data protection strategy. Use the the current regulations' accountability requirements to improve your ability to quickly and accurately find data across your enterprise, automate data protection controls, and to be transparent about mitigating privacy breaches and accelerating risk resolution.

How can AI help me with CCPA compliance?

Operationalizing data privacy by adding AI and machine learning can help you prepare and act on information more quickly. AI can assist in identity resolution to verify identities before responding to consent, data access, or data deletion requests. AI-powered intelligent data management helps you discover, cleanse, prepare, and protect sensitive data at the speed of business.

LEARN MORE

Hone your CCPA strategy with our data privacy webinars

Learn about compliance considerations from a variety of viewpoints: privacy experts, customers, and even Informatica’s Deputy General Counsel. Start with one webinar or watch the entire collection to get insights that can help you close readiness gaps.

CCPA requirements: What do you need for compliance?

Requirement: Process inventory to respond to data subject access requests, including right to know

Solution: Create end-to-end workflows to visualize the processes and activities that link physical systems to data categories, purpose, and third-party sharing, making the data flow more transparent so you can begin to quickly find and assess the requested data.

Requirement: Right to deletion

Solution: Completely remove personally-identifying information from systems with remediation that includes deletion workflows, and use validation capabilities to assess data against retention policies, and/or create an audit trail to verify the data has been removed or deidentified.

Requirement: Right to sales opt-out

Solution: Matching requests collected from feeder systems to the trusted profile of a specific individual and that individual’s related data, wherever it exists across the enterprise, and run data subject access request (DSAR) discovery reports to determine where the subject’s data is being used.

Requirement: Data privacy protection

Solution: Orchestrate the automated deployment of data security controls to mask personal data, help prevent unauthorized access, and monitor for suspicious use. Comply with requirements for data anonymization through deidentification without slowing down business.

Requirement: Right to access data

Solution: Efficiently support access requests by using real-time insights about an individual’s in-scope personal data to quickly match that data with its purpose.