SILENT

BREACH

The

CALIFORNIA CONSUMER PROTECTIONS ACT

Compliance Roadmap
TABLE OF CONTENTS

Overview of CCPA

CCPA Compliance Roadmap

Does CCPA Affect my Organization

CCPA and Personal Data

Identifying your Gaps

Data Inventory

Meeting CCPA Requirements

Conclusion
OVERVIEW OF CCPA

THE PURPOSE OF CCPA

CCPA has several goals. Firstly, it establishes the users' right to know whether any of their data is being collected, sold, or disclosed.
Secondly, under CCPA, companies will need to provide the user with the ability to access or delete their data, or simply say no to its
sale. Finally, users who exercise these rights will be protected from any discriminatory actions taken against them.

THE DEFINITION OF USER DATA MANDATED CHANGES

Personal information is defined as any information that
"identifies, relates to, describes, is capable of being
associated with, or could reasonably be linked, directly
or indirectly, with a particular consumer or household
such as a real name, alias, postal address, unique
personal identifier, online identifier Internet Protocol
address, email address, account name, social security
number, driver's license number, passport number, or
other similar identifiers."
Aside from protecting consumer rights, CCPA requires
relevant companies to make it easy for consumers to
decide how their data is being used. For example, an
opt-out form must be made available on the website
homepage as well as toll-free number for data access
requests, at the bare minimum. For users who have opted
out of sharing their data, companies must wait at least 12
months before asking for additional opt-in consent.

COMPANY REQUIREMENTS PENALTIES

CCPA applies to any for-profit business that does
business in California and has annual gross revenues
over $25 million or possesses data pertaining to at least
50,000 devices, households, or consumers or earns
more than half of its annual revenue from selling
consumer data.
Fines will range up to $7,500 for each intentional violation
and $2,500 for unintentional violation. In the event of a
security breach, companies can be fined between $100
and $750 per Californian user, in addition to any other
court-ordered damages.
CCPA COMPLIANCE ROADMAP

DISCOVERY MITIGATION
Determine whether your Alter your privacy and security programs to
organization must be compliant comply

GAPS ASSESSMENT DOCUMENTATION

Identify the Gaps in your privacy & Develops plans and policies for
security programs maintaining your compliance program
DOES CCPA AFFECT MY ORGANIZATION?

● Your company doesn’t need to be located in California for CCPA to apply to you. In fact, the
International Association for Privacy Professionals (IAPP) estimates that more than half a million
US companies with be directly affected

● Any for-profit entity that does business with California residents has requirements under the law
if it meets any of the following:
○ Your business’ annual revenue is over $25 million
○ Your business receives information of over 50,000 consumers, households, or devices
annually
○ At least ½ of your business’ annual revenue comes from selling personal information
CCPA & PERSONAL DATA

Personal Information: “Any information that directly or indirectly identifies, relates to, describes
or can be associated with or reasonably linked to a California resident or household” and
explicitly includes:
● Name, contact info, government IDs, account numbers
● Biometrics, location data, audio data
● Employment and education history
● Purchase history, behavior, and tendencies
● Online and device IDs
● Search and browsing history and other online activities or from connected devices
● Inferences drawn from any personal info to create a consumer profile

➔ Applies to Consumers, Employees, and B2B Data

➔ Includes Household-level data and device data
IDENTIFYING YOUR PRIVACY AND SECURITY GAPS

Identify what you are Talk to your

already doing employees

Start
Finish

List your Review existing Begin a data

requirements processes Inventory
DATA INVENTORY

1. Identifying Business Teams - focus on the process which include the use of personal data

2. Identifying Data processing activities - calls and meetings with the teams to break out
individual tasks - data processing activities

3. Documenting Systems - Asset Inventory - Documents systems and security controls for
technical assets processing personal data

4. Identifying Vendors - Vendor Inventory - Documenting contract and business details for
vendors processing personal data

5. Completing Inventory Entries - Review of data inventory entries for processes, assets &
vendors
MEETING CCPA REQUIREMENTS

● Requires knowing what data your organization holds, the data flow, and internal use of data

● Processes: changing existing ones and implementing new ones

● Security programs to ensure the safeguarding of personal information

● Following industry-proven security frameworks like NIST or CIS 20

● Encrypting consumer data

Thank you

For more information on this report, please contact:

Phone (US): +1 (727) 497-7941

Phone (toll free): 1-888-221-6396
Phone (Europe): +352 20 88 03 07
Phone (Asia): +65 3159 3424

Email: support@silentbreach.com

Web: https://silentbreach.com