Preparing a compliance plan for the California Consumer Privacy Act
This article was based upon “Preparing for the California Consumer Privacy Act (CCPA) Checklist,” one of the more than 68,000 resources within Practical Law.
California's groundbreaking, comprehensive consumer privacy law, the California Consumer Privacy Act of 2018 (CCPA), as amended, goes into effect January 1, 2020.
While enforcement of most provisions may not start until July 31, 2020, there are actions businesses can do ahead of time to align their practices with the CCPA's new consumer rights and data protection responsibilities.
Here are some steps to take right now:
1. Determine if the CCPA applies to your business
If your business meets one of the three jurisdictional thresholds (+$25 million annual gross revenue; buys, receives, shares, or sells personal information from +50,000 California residents; or derives +50% annual revenue from selling personal information) and is a for-profit entity that collects personal information from California residents and determines how it's used (directly or indirectly), then it is likely subject to the law.
2. Remain current on any revisions or changes to the CCPA
Ensure that your business remains up-to-date on the new law. This may include tracking related legislation or technical amendments that could alter the law's scope, as well as any new implementing regulations the California Attorney General adopts.
3. Review the CCPA’s exclusions to see if your business qualifies
Like many broad statutes, the CCPA comes with enough exemptions and exclusions to make it worthwhile to examine if your business is exempt, especially if you operate in the healthcare or financial services sectors. In all cases, have experts analyze your unique situation before assuming your business does or does not need to comply.
4. Review your data security practices and procedures
Conduct a comprehensive data security risk assessment for all California consumer data that your business already handles to endure it appropriately protects this data. Identify and address any technical system limitations, including how your systems identify California residents, as part of your security system review.
The CCPA's private right of action for certain data breaches begins on January 1, 2020. Strong and robust security programs may provide powerful defenses to such actions.
5. Examine your current business practices to prepare for compliance
Look at your data streams – chiefly the incoming information from customers – and ask yourself some key questions. How does your business collect, track, and store customer data? How does it share data, and who can access it?
Most specifically, does your business sell, disclose, or share customers’ personal information with third parties? And if your business does engage in this activity, consider whether selling or sharing California residents' personal information is critical to your business's core activities, or could it operate successfully without it?
6. Get in line with the CCPA’s disclosure rules
The CCPA requires businesses to provide California residents with detailed disclosures on how it collects and uses their personal information. Make sure your business has those disclosures in place. Also, update any older privacy-related disclosures to meet CCPA requirements, and set procedures that ensure you update all disclosures at least every 12 months.
7. Prepare processes for ensuring consumers’ CCPA rights
Businesses also need to ensure that consumers can exercise their new CCPA rights. This includes providing consumers access to their data, allowing them to delete certain data, enabling personal information sales opt-out rights, and preventing sales of a minor's personal information without valid opt-in consent. For example, businesses that sell personal information must create a webpage that enables consumers to exercise their opt-out rights.
Your business also needs to create a process that allows it to receive and verify consumer requests, such as a toll-free telephone number or a webpage that allows consumers to contact the company directly. Responding to these requests requires systems that collect, track, and process them within 45 days or 90 days (depending on the complexity of the request), according to the CCPA.
8. Engage in robust employee training in this area
Finally, businesses need to develop and implement ongoing training for all employees concerning the CCPA’s general requirements and more specialized training for those employees directly responsible for handling any consumer data or rights requests.