CCPA: What Internal Auditors Should Know

On May 25, 2018, the General Data Protection Regulation (GDPR) was implemented, providing European Union citizens unprecedented protection and privacy regarding organizational use of their personal information. For California businesses and those that serve California residents, the GDPR turned out to be a harbinger of a similar law that went into effect at the onset of the 2020s.

Just more than a month after the GDPR’s implementation, California Governor Jerry Brown signed into legislation the California Consumer Privacy Act of 2018, marking the United States’ initial major data privacy law. On January 1, 2020, the law went into effect. Meanwhile, U.S. organizations and their internal audit teams have been working to understand and prepare for what the regulation means to them. At the most basic level, internal auditors should understand what CCPA is and who it applies to, as well as how they can go about helping their organizations manage risk related to CCPA compliance.

Purpose and Scope

Just as the GDPR was designed to provide protections to all European Union citizens, the CCPA protects California residents’ rights regarding their personal information. These protections include:

• The right to be informed of all personal information collected by organizations as well as how/where it was collected, how the company intends to use the information and to whom it’s being disclosed/sold (if applicable).
• The ability to refuse an organization’s ability to sell one’s personal information to third parties via “opt out” options.
• The right to have collected personal data erased under certain conditions.
• The right to invoke these new privileges without facing unequal service or unfair pricing from the organization.

According to the legislation’s language, “the overriding goals of the CCPA are to let California consumers know more about the data collected about them, along with putting some of the rights regarding that information back into consumers’ hands.”[1]

Though focused on California residents, the law’s impact will be far reaching. One source estimates it may affect half a million companies across the United States.[2] Companies that do business in California and meet one of the following criteria will be affected:

• Has annual gross revenues in excess of $25 million;
• Buys or sells the personal information of 50,000 or more consumers or households; or
• Earns more than half of its annual revenue from selling consumers’ personal information.[3]

While it may be tempting to regard CCPA as simply an American version of GDPR, it is important for internal auditors to understand that the two are not exactly the same. One of the most important differences is in the CCPA’s broader definition of personal information. Under the CCPA, information that can be used to identify households and devices (i.e., internet browsing, geolocation, etc.) is considered personal information, in addition to information that can be used to identify people.[4] Another subtle difference is that CCPA focuses almost exclusively on the collection and selling of personal information; unlike GDPR, CCPA has little to do with the processing of that information.[5] Because of these and other differences, it is important for internal auditors to understand that even if their company is GDPR compliant, that does not mean the company will automatically be compliant with CCPA.

Impacts

Enforcement of the law comes in a phased approach. Beginning July 1, 2020, under the jurisdiction of California’s attorney general, individual rights violations could result in a maximum penalty of $7,500 – expected to be rendered for intentional violators. (Those organizations deemed to be in failure of compliance but without intent face $2,500 fines.) However, potentially of greatest concern to organizations is that companies that become victims of data theft or other data security breaches can be ordered in civil class action lawsuits to pay statutory damages between $100 to $750 per California resident and incident, or actual damages, if greater. That part went into effect on January 1.[6]

Managing Compliance Risk

Although GDPR compliance will not satisfy CCPA completely, organizations that have worked toward GDPR compliance should find that many best practices overlap as it relates to CCPA. Both focus on the protection of individuals’ personal information. Second, both focus on increasing transparency regarding this information, especially regarding the collection of this data. Lastly, both define rights for the affected individuals, such as in cases where business failure results in data breaches.

As such, internal auditors should focus their attention on several key areas when looking at CCPA compliance:

Leadership & Accountability

It is critical that the organization have a person who owns the responsibility for CCPA compliance and that that person has the expertise, authority and resources to take the steps needed to ensure compliance. In addition, a cross-functional team (legal, HR, IT, communications, etc.) should be assembled to lead the compliance effort.

Disclosures/Consent

Disclosures related to how personal information is collected and how it may be sold are central to CCPA compliance, as are consent-based functions such as those that allow individuals to withhold consent for companies to sell their data (i.e., opt out).

Internal audit should be helping the organization ensure that all necessary disclosures and consent needed for CCPA compliance are created and/or updated. Additionally, ongoing monitoring (continuous and/or sample-based) should be done to ensure that disclosure and consent mechanisms are functioning properly at the point of collection and that disclosure/consent information remains with the data as it flows through the organization.

Policies

Similarly, policies affected by CCPA, such as the organization’s privacy policy and data retention policy, should be updated to reflect CCPA, and where applicable, these policies should be made available to the appropriate parties. In the context of CCPA compliance, internal audit should periodically review relevant policies to ensure that they are current, compliant and accessible.

Additionally, because of the rights provided to individuals to inquire about their personal information, internal audit should assess the organization’s readiness to handle such inquiries through manual and/or automated processes. Trained personnel, an approved communications plan, working communications channels and procedures for documentation are all key elements auditors should be looking for.

Data Governance & Information Security

Protecting consumers’ personal information against unauthorized access is undoubtedly a central aspect of CCPA. However, in the event that a data breach does happen involving personal information, it will be critical for organizations to be able to demonstrate the steps they were taking to protect that information and manage it responsibly. Although the CCPA does not directly impose specific data security requirements, it establishes a right of action for certain data breaches caused by business failure to maintain reasonable and appropriate security practices and procedures.[7]

Again, internal audit should be performing routine procedures to verify that documentation of collected personal information (mapped from collection to share/sale) is thorough and accurate. Internal audit should also verify that a data breach response plan is in place, is current and complies with CCPA requirements.

Additionally, testing should be performed to verify that personal information sold was sold with consent and, conversely, that information for which consent was withheld did not get sold. Also, valid requests for data deletion should be reviewed to determine if they were carried out appropriately.

Third-Party Agreements

CCPA gives consumers the right to request information about how companies share personal information with third parties and to opt out of their information being sold to third parties. It also requires companies to make a good faith effort to place a valuation on personal information. As such, internal auditors will play a key role in making sure that third-party service-level agreements are created/updated to accommodate CCPA compliance.

Conclusion

Going forward, internal audit will be a valuable ally as organizations work to maintain compliance with CCPA. Internal audit procedures that verify the organization’s processes and controls around personal information (i.e., disclosure, consent, documentation, inquiry response, information security, etc.) can provide a crucial early warning if issues are detected. At the same time, internal audit should be helping its organization look ahead to future risk.

CCPA is unlikely to be the last legislation of its kind, and some companies are already operating under the assumption that they will be extending CCPA-type protections to consumers regardless of their state of residence. Therefore, scanning for emerging risks and leveraging lessons learned through GDPR and CCPA represent opportunities for internal audit to showcase its ability to provide strategic value in addition to critical verification and quality assurance.

[1] California Consumer Privacy Act: Everything You Need to Know About CCPA, the New California Data Privacy Law. (2019, October 30). Fair Warning.

[2] Ibid

[4] Ibid

[6] Ibid

[7] Compert, C. (2019, April 5). Preparing for the CCPA: Leverage GDPR Investments to Accelerate Readiness. Security Intelligence.