The best time to plant a tree was 20 years ago. The second best time is now. - Chinese Proverb
In fewer than 6 months, the requirements of the California Consumer Privacy Act ("CCPA") come into operation. With no sign that CCPA's obligations will be materially watered down or preempted by federal legislation, companies that have not started preparing for CCPA need to do so as quickly as possible in order to meet the January 1, 2020 deadline. Like any new project, the question of "where do I start?" is frequently one of the biggest hurdles and can delay the initiation of the project. Therefore, to help with this first step, we've set out below our top tips for tackling the CCPA compliance.
(1) Leverage your GDPR or other privacy programs. Although there are significant differences between the CCPA and the European Union General Data Protection Regulation ("GDPR"), many of the obligations imposed by the CCPA (e.g., notice, information gathering, obligations for data sharing, access rights, deletion rights, and opt-out rights) are similar enough that companies can and should try to leverage the work they undertook to address the similar obligations for GDPR as the starting point for building out a CCPA compliance program.
(2) Identify a cross-functional CCPA team. To address the requirements of the CCPA in a meaningful way, companies will need to tap into the expertise of a variety of different stakeholders and departments across the organization and develop a coordinated approach. In addition to needing strong legal and privacy support to help shape different elements of the CCPA program, it is critical to obtain the support and buy-in of the IT teams to implement the technical obligations of the CCPA, such as mechanisms that allow consumers to opt-out of the sale of their personal information and manners to delete personal information. Similarly, stakeholders from marketing or other functions that are key users of personal information with the company are critical for helping companies understand how personal information is gathered from consumers and how it is used across the company. Without this 360 degree view of information collection, use and sharing practices, it will be very difficult to develop the multi-layered solutions that are critical for CCPA compliance.
(3) Develop a strategy for information gathering and categorization. As with all privacy compliance programs, the foundation for a strong CCPA compliance program is understanding and documenting what personal information your organization collects as well as how such information is used and disclosed (both internally and externally). This is a deceptively complicated task and may be the most labor and time-intensive element of the building your CCPA compliance program. Obtaining this information from across the company in sufficient detail to meet the requirements of the CCPA often requires additional resources in the form of staffing or specialized service providers is needed.
(4) Determine where you "sell" personal information. One of the most formidable elements of the CCPA is its broad definition of what constitutes the "sale" of personal information, for which the company must provide notice and a right for consumers to opt-out. This definition sweeps in a broad array of disclosures that do not meet the traditional notions of sale (e.g., intra-affiliate sharing of personal information in certain circumstances). Therefore, companies need to really understand their disclosures of personal information - including in the online environment (e.g., online behavioral advertising) - and develop a strategy for determining which disclosures qualify as sales and for addressing opt-outs related to these disclosures (or opt-ins for minors). In addition, it will be important to develop template contract language for the various types of disclosures and to begin to build out the mechanisms for honoring consumer choice requirements under the CCPA.
(5) Be ready to update company privacy statements and similar disclosures. The CCPA sets out specific content requirements for online privacy policies and also requires that consumers are notified about personal information collections at or before the information is collected. Companies need to understand what specifically must be included in their consumer facing notices and be prepared to update them to meet these content requirements.
One last tip: Don't forget to monitor other state and federal law developments. The CCPA is not the only US privacy law on the horizon. Nevada recently enacted a similar but more limited consumer privacy law, and a number of other states are expected to follow suit this year or next. At some point, federal privacy legislation may also come into play. Companies should be looking down the road at these rules and trying to anticipate and leverage the steps for CCPA compliance.