Premier International has developed reference architecture that incorporates the minimum requirements to support compliance with the California Consumer Privacy Act (CCPA).
California Consumer Privacy Act
In June 2018, the California Legislature passed AB 375, known as the California Consumer Privacy Act of 2018 (“CCPA”), which it amended in August. The Act gives California residents the right to be informed about what types of personal information companies have collected about them and whether or not it has been shared with third parties. The Act was inspired in part by the General Data Privacy Regulation (GDPR), which is the European Union’s recently implemented data protection law, and which is now considered the “gold standard” of data privacy protection. The Act is not effective until January 1, 2020, so whether the Act will remain in its current form, be further amended or superseded by a federal law is to be seen. Due to the uncertainty, it is best to set up a compliance program now instead of waiting. The CCPA has certain key provisions:
- Consumers have the ability to request a record of what types of data an organization holds about them, plus information about what’s being done with their data in terms of both business use and third-party sharing.
- Sale of children’s data will require express opt in, either by the child, if between ages 13 and 16, or by the parent if younger than that.
- Consumers have a full right to erasure, with carve-outs for completion of a transaction, research, free speech, and some internal analytical use.
- Businesses will have to have a verification process so consumers can prove they are who they say they are when they do their requesting.
- Organizations will have to disclose to whom they sell data, and consumers will have the ability to object to the sale of their data. Businesses will have to put a special “Do Not Sell My Personal Information” button on their web sites to make it easy for consumers to object.
CCPA Reference Architecture
Premier International has developed a 16-point reference architecture to support compliance with the CCPA. There are many technologies available (as shown on the far right below). Over 20 technologies are mapped into the respective steps to meet specific needs.
The tooling is mapped to requirements. Here are some potential functionality that will be considered:
- Date Subject Access Requests
- Inventory of Personal Data Elements (PDEs)
- Data Protection Impact Assessments
- Vendor Risk Assessments
- Key Data Elements including PDEs with definitions
- Inventory of Applications
- Data Lineage
- Inventory of servers and routers
- Inventory of EUCs