CCPA RESOURCES CENTER › THE COMPLETE CCPA GUIDE

Chapter 5: Getting Started with CCPA Compliance

Understanding the CCPA front to back is important, but for business leaders dealing with day-to-day realities, it all boils down to one practical question: What is actually required to move forward with CCPA compliance?

This chapter discusses the different options available to businesses, how to organize the effort, and what sort of time investment is required.

CCPA Compliance Strategies

Businesses have a few different options when it comes to becoming CCPA compliant. They can keep the whole project completely in-house, hire a law firm or consultant, or use a software solution like TrueVault.

The In-House Strategy

It's always tempting to try to handle CCPA compliance internally. That is, assign one person or team to do everything required to become CCPA compliant. The reason is obvious: cost savings.

For companies with an in-house legal department and the time to focus on the project, this approach may make sense. Attorneys have the background to understand the statute, regulatory changes, reports from the Attorney General, etc., and translate it all into an actionable strategy. Even in this situation, however, the costs can quickly balloon beyond what was expected. Unless the attorneys are already experts in data privacy law, they will have to spend a considerable amount of time researching the issue, and that is time taken away from performing their regular duties.

For businesses without a legal department, the in-house strategy is probably more trouble than it's worth. The person assigned to the task will likely have to start from scratch when it comes to understanding the CCPA, meaning a lot of of time concentrating on just this and not their "day job", and that's just for the initial "getting compliant" phase.

The initial savings of keeping CCPA compliance in-house quickly evaporate. Staying compliant and keeping up with changes in the law may end up being a full-time job. The California Attorney General has already proposed multiple rounds of regulatory changes, and the Consumer Privacy Rights Act (CPRA) made significant alterations to the CCPA in 2020, most of which have not yet gone into effect. There are other state laws to contend with, as well as the potential for a federal privacy law. In this complex regulatory landscape, it is likely that an employee will miss important issues. With civil fines up to $2500 per violation, any mistakes could become quite costly.

Estimated Project Duration:

Will vary according to the business and staff members involved, but typically 8+ weeks, ~96 hours of hands-on time.

Law Firms and Consultants

As with many compliance-related issues, the more traditional route to CCPA compliance is to hire a law firm or consultant. This approach has a few benefits. The first is expertise. As opposed to finding someone in-house who will have to spend a lot of time familiarizing themselves with the CCPA, these specialists already have the knowledge necessary to do the job right. The second benefit is the amount of attention that a law firm or consultant can give to your business. If your company has an extremely complex data map, all that personalized attention may be a good idea.

It should come as no surprise that the major drawback of this approach is cost, both in money and time. Law firms and consultants are expensive, and they will spend weeks getting your business CCPA compliant. Company employees will also need to spend a significant amount of time working with the specialists to answer questions and implement changes.

Estimated Project Duration:

4–8 weeks, 40–80 hours

Software Solutions

A software solution to CCPA compliance can bring many of the benefits of hiring a law firm or consultant, but at a fraction of the cost. For most businesses that are required to be CCPA compliant, this will be the best option.

A good CCPA software, one that is designed by attorneys, can deliver the same level of expertise as any outside specialist. The difference with software is that most of the work is already done in advance and many of the tasks are automated; consultants and attorneys have to start over completely with each client. Because of this, software solutions are almost always going to be faster and less expensive.

But not all software solutions on the market are equal. Most software solutions are intended for use after the business has already become CCPA compliant. They help with tasks such as tracking consumer privacy requests, but they can't help create the initial data map because of the high degree of customization needed. More recent software has emerged, however, that can walk businesses through the entire process, starting from scratch all the way to full compliance. Similar to tax filing software, automation tools like TrueVault offer a guided experience so businesses can manage their own compliance effort and stay up to date on the latest changes in the law.

With the right software, businesses enjoy the benefits of outside expertise with many of the cost savings of keeping the project in-house.

Estimated Project Duration (Using TrueVault):

1 week, ~4–16 hours

Organizing Your Company's Compliance Project

For the reasons discussed above, most businesses choose to bring in outside help for their CCPA compliance project, whether that be from a law firm or a software solution. Having outside help, however, does not mean that a business's employees will not be involved. On the contrary, the following internal roles are critical to the success of any successful CCPA compliance strategy. Depending on the size and nature of a business, one person may take on all of these roles or a team of workers may be needed for each.

Compliance Champion – This is the person who takes ownership of CCPA compliance at the company, someone who is committed to getting the whole thing across the finish line. The Compliance Champion will learn all there is to know about the CCPA and coordinate efforts between the various groups and departments. It's a good idea to have this person also lead the Privacy Team as the business transitions to staying compliant.

Operations/Legal – Someone who can review and make changes to a business's privacy policy and vendor contracts. They will also make the determination as to whether outside companies that receive personal data are third parties or service providers, as defined by the CCPA. This person does not have to be a lawyer, but they should be very familiar with the CCPA's rules.

Department Representatives – A critical component of becoming CCPA compliant is understanding what categories of personal information are being collected and how they are used. Businesses often collect personal data without even realizing it. These representatives know what tools are being used in their departments, e.g., CRM, payment processing, etc. Consulting with them helps the Compliance Champion develop a fuller understanding of the situation while creating the data map.

IT/Software Development – Indispensable to CCPA compliance, the IT team is needed to make the necessary changes to the business's website, mobile apps, and other online products. They can also be very helpful throughout the data mapping process.

Conclusion

The CCPA is a complex law. It makes businesses take a hard look at their data privacy practices, often for the first time, and make permanent changes. For many businesses this is unknown territory but with a solid base of knowledge and guidance from the right tools, becoming CCPA compliant is not an overwhelming process. More than anything, it requires the flexibility and willingness to adapt that so many modern businesses already have.

If you're ready to get started with your company's CCPA compliance project, learn more about the tools available to you and contact our team today.