Written by: Richard Eisert, Gary Kibel, Vivian Byrwa and Avinoam Shefa
While the California Consumer Privacy Act (CCPA) promises to bring significant change to the way some businesses collect and use personal information from consumers, the exact scope of that change remains unclear, pending further action by the California Attorney General and Legislature. However, the law is still set to become effective January 1, 2020 and businesses should not wait for California to issue further clarifications before taking action. Here are 10 things you can do now.
- Assess the CCPA’s applicability to your business – Determine whether your business falls within the scope of the CCPA. The CCPA applies to businesses that collect California consumers’ personal information and either (i) have annual gross revenues in excess of $25 million, (ii) process the personal information of 50,000 or more California consumers, households, or devices or (iii) derive 50 percent or more of their annual revenues from selling California consumers’ personal information. Note that the CCPA has broad applicability and protects the information of California residents (not only when they are present in California). This means that certain “geo-fencing” strategies that were used to avoid the applicability of the GDPR may not be sufficient in the case of the CCPA.
- Review and track your data collection practices and data streams – It’s important to have a firm understanding of what personal information your business is collecting, how the personal information is being processed, and with whom the personal information is being shared. The CCPA will require you to disclose collected data to consumers who request it and to inform consumers of your data collection practices before you collect personal information. If your business has not already done so, consider creating system diagrams that document the lifecycle of collected data and data flow maps for locating a customer’s personal information. This will also help with your recordkeeping efforts.
- Maintain records of data processing activities – Under the CCPA, a California consumer is entitled to request that a business provide certain disclosures as they relate to the processing of that consumer’s personal information within the year preceding the request in a readily usable format. This is sometimes referred to as the “look back” provision. Since consumers can start exercising their rights and requesting information about a business’s data processing activities on January 1, 2020, this technically means that a year prior to such possible request, businesses should be keeping records on their processing activities in a way that enables them to respond effectively to this “look back” provision. The recent amendments to the CCPA did not postpone the applicability of the “look back” provision. Because the Attorney General’s approach to enforcement is unclear at this time, businesses will need to have processes in place to organize and manage consumer data collected well before the Attorney General commences enforcement activities.
- Review policies and identify gaps with GDPR – There is a common misconception that being GDPR compliant means you are also CCPA compliant. This is not the case. Businesses should certainly coordinate their GDPR and CCPA compliance efforts, but also be mindful of the differences. For example, the CCPA explicitly restricts discrimination against consumers that have exercised their rights under the CCPA, including by charging different prices for services or providing a different level of services. Businesses should take steps to uncover gaps in their current practices that are not yet CCPA-compliant, identify operational challenges that CCPA compliance may pose and plan for compliance action.
- Review external privacy policies and other consumer disclosures – The CCPA requires certain disclosures to be made to consumers. Reviewing existing disclosures and commitments currently made by the business can help identify any missing disclosures and commitments required under the CCPA.
- Plan how to proactively communicate with your consumers about CCPA compliance – Devise a uniform public-facing message that communicates to your consumers and clients about the business’s position on CCPA compliance. This message can be used whenever a consumer or a corporate client asks about CCPA. The message should be disseminated within the business to ensure that employees understand how to effectively communicate the business’s position on CCPA.
- Stay up-to-date on state and federal privacy developments – The CCPA will not be the last data privacy regulation your business will have to address. There are numerous new state laws pending, including proposed laws in Washington State and New York. The Federal Government has also introduced various new privacy bills, including one that can preempt state law, including the CCPA. Staying current on privacy developments and frequently conversing with your privacy counsel will help you prepare for and react more appropriately to legal changes that impact your business.
- Assess third parties – One of the major requirements under the CCPA is to provide consumers with the opportunity to opt-out of the “sale” of their personal information. The standard is opt-in if the user is under 16 years of age. The definitions of “personal information” and “sale” are both extremely broad. Further, a business is provided with a safe harbor for non-compliance by their service providers if certain controls with the service provider have been put in place. Therefore, consider all third parties with whom the business is working and the contracts with such third parties, both in terms of parties to whom data is transferred and counter-parties when the business is a recipient of data.
- Be flexible – While it is best to take action even while the industry waits for regulations from the Attorney General, every organization will need to be flexible should the regulations move the goal posts on your plans.
- Consult with your privacy counsel – Work with outside legal counsel that is well-versed in privacy law and the CCPA in particular. Due to the complexities and current uncertainties of the CCPA, the legal, regulatory and technical implications of the CCPA and other privacy laws could have a significant impact on your business’s data processing activities.
In the ever-changing landscape of the U.S. privacy space, businesses should not take a wait-and-see approach when it comes to CCPA compliance. The ten action items outlined in this Alert will not only assist businesses with CCPA compliance, but may also assist with compliance with other new privacy laws, standards and serve as best practices.