On January 1, 2020, the California Consumer Privacy Act (CCPA) will go into effect and affect many, if not most, businesses that collect information about California residents. Covered businesses need to accelerate their compliance efforts to meet the January 1, 2020 compliance deadline. Although covered businesses may take advantage of a six-month grace period before the California Attorney General can begin enforcing its regulations on July 1, 2020, a future enforcement action can be based on conduct that occurred prior to July.
Below, we have prepared a checklist summarizing the steps that companies should consider in their CCPA compliance efforts.
1. Track Your Data
The CCPA provides certain rights to "consumers" defined broadly to mean any California resident over their "personal information (PI)," which includes categories of data that "identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household." Also, while consumer rights are triggered when a business "sells" consumers' PI, "sale" of PI is yet another broadly defined term that includes "selling, renting, releasing, disclosing, disseminating, making available, transferring or otherwise communicating orally, in writing, or by electronic or other means" PI in exchange for money or other valuable consideration. To understand what PI you are collecting from California residents, you must track the collection of PI and the purposes and uses of such collection.
3. Provide Obvious Opt-Out Rights
4. Develop Processes for Consumer Requests
You should establish at least two methods (e.g., a toll-free number, a website address) for consumers to make CCPA data rights requests. You will also need processes to verify any such consumer requests. For example, a business must consider the type, sensitivity, and value of the PI collected and stored, and create a more stringent verification process for sensitive PI, such as Social Security or credit card numbers. If you maintain a password-protected account with consumers, you may verify a consumer's identity through your existing account authentication practices. If you do not have any passwordprotected accounts for consumers, more stringent verification requirements must be met. For example, if a business maintains a consumer's name and credit card number, the business may require the consumer to provide the credit card's security code and to identify a recent purchase made with that credit card to verify the consumer's identity.
5. Review and Revise Your Vendor Agreements
Businesses are excepted from the requirements of the CCPA where they disclose PI only to a service provider, and where such disclosure is necessary to perform a business purpose. Businesses may take advantage of this exception if they provide appropriate notice to consumers, and the service provider does not further collect, sell, or use the PI, except as necessary to perform a business purpose. To qualify as a service provider, an entity must be a for-profit entity that receives and processes a consumer's PI from a business pursuant to a written contract. The contract must prohibit the service provider from "retaining, using, or disclosing" the PI for any purpose other than what is specified under the contract or as otherwise allowed by the CCPA. Accordingly, you should review your existing agreements, both with vendors and, if applicable, with other contractual parties from whom you receive PI, to determine whether you qualify for this CCPA exception.
6. Develop a Training Program
The Draft Regulations require businesses to train personnel responsible for handling consumer requests about the requirements of the CCPA and the Draft Regulations, and to respond to consumers who wish to exercise their CCPA rights. Although this training will have to be refined and updated as the CCPA and its regulations evolve, initiating a training program that outlines the current legal framework is a good start in proactively approaching CCPA compliance.
7. Implement a Data Request Record Keeping Process
The Draft Regulations require covered businesses to document and retain data access requests. You should develop a record keeping system or amend your existing system and document retention policies to preserve, retain, and store the records of CCPA requests and the business's responses to those requests for at least 24 months. A records log need only include the date and nature of the request, the manner in which it was made, the date and nature of the response, and the basis for denial, if the request was denied.