Publications

On The Road Again: Practical First Steps On Your Way to Compliance with the CCPA

March 4, 2019Alerts

The California Consumer Privacy Act (CCPA), a broad-based law protecting information that identifies California residents, will take effect in 2020. The law includes detailed disclosure requirements, provides individuals with extensive rights to control how their personal information is used, imposes statutory fines and creates a private right of action. It is expected to dramatically alter the way U.S.-based companies process data.

Yes – it is true that CCPA will only go into effect in 2020, and some changes in the law are expected.

However, CCPA also has a “12 month look back” which requires companies to be able to provide information to consumers about information collected or disclosed in the immediately preceding 12 months. Couple that with some “behind the scenes” preparation which will likely be necessary whatever form the law takes — to allow you to do expanded disclosure or to address the consumer rights of access or deletion — and you have good reasons not to take a “wait and see” approach.

Here are the top five steps you can start taking already to prepare for CCPA:

1. Map your Personal Information:

Map out the key aspects of how you handle “Personal Information.”

Specific questions to ask (with key points to focus on):

  • What Personal Information do you collect?
    • Includes: California employee information
    • Includes: Internet activity including cookie stream, interactions with the website, browsing history, IP address, mobile device ID
    • Also includes: Inferences drawn from any Personal Information to create a profile about a consumer reflecting their preferences, characteristics, behavior, attitude
  • From where do you collect Personal Information?
    • Compile a list of all the parties from whom you source data. This includes third party sources of information (like public databases or consumer reporting agencies) but also, importantly, lead generation, and social media.
  • Where and how is Personal Information stored?
    Note: This information will come in handy both for responding to access/deletion requests and for assessing compliance with the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information. Ask:
    • In what locations is personal information stored within the organization?
    • What business units are involved?
    • Is any personal information held by third-party providers? (Don’t forget to include third parties providing services related to California employees).
    • What protections are applied to this information? (Here, it would be helpful to refer to the relevant information security documentation that describes them).
  • What do you do with the Personal Information?
    • Compile a list of each piece of information and the relevant purpose/use.
      • This will come in handy for the data access requests in connection with which you will need to provide a description of the purpose for particular information requested.
  • How long do you keep it? Why?
    • For the information mapped out above, compile a chart denoting item, time retained, and reason.
    • Assess the chart you compiled to determine whether these durations (or your existing records retention policy) should be revised.
    • Consider whether any of the information could serve the same purpose if de-identified or aggregated.
  • With whom do you share it?  And for what purpose?
    • Differentiate between information that is “sold” and information that is “shared for a business purpose.”
    • Ideally you should have the following separate lists (which are lists that you will need to pull from to be respond to access requests):
      • Categories of information sold
        • Note: You should have a way to determine the categories of information sold in the 12 months preceding the date of a request from a consumer.
      • Categories of third parties to whom personal information was sold, by category or categories of personal information sold for each third party to whom personal information was sold
      • Categories of personal information disclosed for a business purpose
        • Note: You should have a way to determine the categories of information disclosed for a business purpose in the 12 months preceding the date of a request from a consumer.
    • Compile all agreements with third party vendors (those will likely need to be amended).
  • What financial incentives do you provide consumers?
    • Review and map all loyalty and membership programs and other incentives
      • Similar to above – what information is collected, how is it used/shared/retained?
      • What is the incentive given?
      • What are the options to opt-out?
    • This will need to be assessed against the CCPA requirement of “directly related to the value provided to the consumer by the consumer’s data and disclosed in the revised privacy notice”.  [Note: this may be amended to “value provided to the business by the consumer’s data”].

2. Consider consumer rights

  • Devise a process for handling the access/deletion requests of California employees
    • See above re: gathering the information from various locations/providers
    • Assess which exceptions could be applicable to the request
  • Devise a process for handling access/deletion requests of consumers (customers)
    • See above re: gathering the information from various locations/providers
    • Assess which exceptions could be applicable to the request
    • Consider the various contact points from which requests could be received
  • Consider opt-outs from sale of information

3. Review your incident response policies/procedures

  • Do you have mechanisms and procedures in place to detect a security incident?
  • Do you have an incident response team?
  • Do you have “go-to” external resources like outside counsel, external forensics and security professionals, external public relations, identity theft protection, call centers, and other service providers?
  • Do you know the potential states/jurisdictions involved?
  • Do you know your contractual reporting obligations?

4. Conduct CCPA employee training

5. Update privacy notice/website

  • Prepare California employee privacy notice
  • Revise online privacy notice to account for new requirements
  • Secure two methods of contact for the consumer rights
  • Add “do not sell my information button”

Odia Kagan is a Partner at Fox Rothschild and chair of the firm’s GDPR Compliance and International Privacy Practice. Odia leverages her experience counseling companies on GDPR compliance issues to assist companies on the road to CCPA compliance. For assistance, contact Odia at [email protected] or 215.444.7313.

Additional Information