Recent regulatory developments

Late last week, the California legislature published proposed technical amendments to the California Consumer Privacy Act of 2018. These amendments reflect almost two months of lobbying by both consumer and industry groups. In addition, the FTC has received a number of complaints that the Act, along with other proposed state actions, would create confusion in an already-fragmented approach to privacy and security in the United States.

5 steps to take now

While the changes in the Act and attacks on the Act continue to create uncertainty, businesses need to consider immediate steps to avoid the significant penalties for non-compliance. Businesses must be in full compliance on the effective date of January 1, 2020. It will not be adequate to start compliance efforts on that date.

In particular, there are 5 steps that businesses need to take to ensure compliance by the effective date:

  1. Create a standardized approach for handling consumer requests for personal information.
  2. Develop procedures for responding to consumer requests.
  3. Develop data collection and processing tracking procedures to understand what data is collected, where it resides, how it is maintained, and who is responsible for it.
  4. Analyze the legal basis for collecting and processing personal information – businesses will need to explain their legal rationale for exemptions to the consumer’s right to have their information deleted.
  5. Review their public-facing website disclosures, including adding a description of consumers’ rights under the Act, listing the categories of data collected and a conspicuous link titled “Do Not Sell My Personal Information.”

The California Consumer Privacy Act of 2018 addresses many of the concerns and requirements of the EU’s General Data Protection Regulation. Companies that take prompt action to comply with the California Act and the GDPR will likely gain a substantial advantage over competitors who wait.