On January 1, 2020, the California Consumer Privacy Act (CCPA) will go into effect and affect many, if not most, businesses that collect information about California residents. Covered businesses need to accelerate their compliance efforts to meet the January 1, 2020 compliance deadline. Although covered businesses may take advantage of a six-month grace period before the California Attorney General can begin enforcing its regulations on July 1, 2020, a future enforcement action can be based on conduct that occurred prior to July.

Below, we have prepared a checklist summarizing the steps that companies should consider in their CCPA compliance efforts.

1. Track Your Data

The CCPA provides certain rights to "consumers" defined broadly to mean any California resident over their "personal information (PI)," which includes categories of data that "identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household." Also, while consumer rights are triggered when a business "sells" consumers' PI, "sale" of PI is yet another broadly defined term that includes "selling, renting, releasing, disclosing, disseminating, making available, transferring or otherwise communicating orally, in writing, or by electronic or other means" PI in exchange for money or other valuable consideration. To understand what PI you are collecting from California residents, you must track the collection of PI and the purposes and uses of such collection.

Tracking data is also an essential component of the California Attorney General's October 10, 2019 draft regulations (the "Draft Regulations"), which require company privacy policies to include a description of, among other things, the categories of PI collected, the "purpose of use" for each category of PI, and the categories of third parties with whom PI is shared. To accurately provide such detailed information in your privacy policy, you must have a system in place to track the collection, usage, and transmittal of consumer PI.

2. Revise Your Privacy Policy, Make It Consumer Friendly, and Update Your Website

You should revise your privacy policy to include information related to your PI collection practices and the rights of California residents over their PI. For example, a privacy policy should explain a consumer's right to, among other things, obtain information about the categories of PI collected by the company, request deletion of their data, and opt-out of the further sale of their data to third parties. The privacy policy should also describe the company's verification process for such requests, provide instructions on how to submit verifiable requests, and provide links to an online form or portal for making the request.

The Draft Regulations also provided specific format requirements that businesses need to follow when drafting or revising their privacy policies. The language of your privacy policy should be consumer friendly, readable, available in all languages in which your business normally provides disclaimers or announcements to consumers, accessible to consumers with disabilities, and available in printable format.

You must also revise your website to post your privacy policy online through a link titled "privacy" on your homepage or on the download or landing page of the company's mobile application. If you already have a California-specific description of consumer privacy rights on your website, your privacy policy must also be included in that description.

3. Provide Obvious Opt-Out Rights

Businesses that are subject to the CCPA must maintain a "clear and conspicuous link" on their website homepage titled "Do Not Sell My Personal Information," which links to a web page that enables a consumer or their designee to opt-out of the sale of their PI. This link must also be included in your online privacy policy or in any California-specific description of consumer privacy rights that you provide online. For consumers who have opted out, you must respect that decision for at least 12 months before requesting authorization to sell their PI. Therefore, record keeping and tracking of opt-out requests are paramount.

4. Develop Processes for Consumer Requests

You should establish at least two methods (e.g., a toll-free number, a website address) for consumers to make CCPA data rights requests. You will also need processes to verify any such consumer requests. For example, a business must consider the type, sensitivity, and value of the PI collected and stored, and create a more stringent verification process for sensitive PI, such as Social Security or credit card numbers. If you maintain a password-protected account with consumers, you may verify a consumer's identity through your existing account authentication practices. If you do not have any passwordprotected accounts for consumers, more stringent verification requirements must be met. For example, if a business maintains a consumer's name and credit card number, the business may require the consumer to provide the credit card's security code and to identify a recent purchase made with that credit card to verify the consumer's identity.

5. Review and Revise Your Vendor Agreements

Businesses are excepted from the requirements of the CCPA where they disclose PI only to a service provider, and where such disclosure is necessary to perform a business purpose. Businesses may take advantage of this exception if they provide appropriate notice to consumers, and the service provider does not further collect, sell, or use the PI, except as necessary to perform a business purpose. To qualify as a service provider, an entity must be a for-profit entity that receives and processes a consumer's PI from a business pursuant to a written contract. The contract must prohibit the service provider from "retaining, using, or disclosing" the PI for any purpose other than what is specified under the contract or as otherwise allowed by the CCPA. Accordingly, you should review your existing agreements, both with vendors and, if applicable, with other contractual parties from whom you receive PI, to determine whether you qualify for this CCPA exception.

6. Develop a Training Program

The Draft Regulations require businesses to train personnel responsible for handling consumer requests about the requirements of the CCPA and the Draft Regulations, and to respond to consumers who wish to exercise their CCPA rights. Although this training will have to be refined and updated as the CCPA and its regulations evolve, initiating a training program that outlines the current legal framework is a good start in proactively approaching CCPA compliance.

7. Implement a Data Request Record Keeping Process

The Draft Regulations require covered businesses to document and retain data access requests. You should develop a record keeping system or amend your existing system and document retention policies to preserve, retain, and store the records of CCPA requests and the business's responses to those requests for at least 24 months. A records log need only include the date and nature of the request, the manner in which it was made, the date and nature of the response, and the basis for denial, if the request was denied.