We are seeing companies use many different approaches to the California Consumer Privacy Act (“CCPA”) compliance, but the “wait and see” approach in particular is not advisable.
Companies who want to “wait and see” point to the pending amendments to CCPA that are currently working through the California Senate (as we have previously described—see links below). Others point to the California Attorney General regulations that will be released in draft form in the next few months, which should provide some guidance to implementing CCPA.
Those statements are indeed accurate, as far as they go. However, they neglect the fact that most business cannot turn on a dime and do not have a robust grasp on the IT and business systems that collect and share personal information. Given that January 1, 2020 is almost upon us and July 2020 follows close behind, there simply will not be enough time once the amendments are passed and the guidance provided, to implement CCPA if you do not start now (or ideally, have started already).
These new obligations raise several questions for companies, including:
- Where will the “Do Not Sell My Personal Information” link appear on the company website? Who is doing the programming? The testing? To what Internet webpage will it link for consumers to submit the opt-out request? Who will receive the completed form? What will they do with it? How will a company ensure that the opted-out user is not solicited to opt back in for 12 months?
- Does the company currently provide privacy notices before collecting personal information? What personal information has the company collected in the last 12 months regarding each California consumer? Where is that data located? To whom was the information transferred and for what purpose?
- What will happen when a consumer exercises the “access” right? What is the process for locating and preparing that information for the consumer within 45 days of the consumer’s request? What is the process for verifying the consumer?
- What happens when a consumer files a deletion request? Does the company know which service providers must be notified? Which CCPA exceptions will apply? If the company is relying on the exception that allows for information to be used for internal usage only, how will the company ensure that the uses of the data remain purely internal?
- What are the business’s cyber security protocols and protections for personal information? How would a business establish that they are reasonable? Has the business evaluated the security program and, if so, what did it find and did it act on it?
Compliance is not instantaneous and any new program to comply with CCPA will need to navigate the business’s administrative procedures and rely on the IT infrastructure. Some of the IT concerns that may impact a privacy program implementation timeline include:
- Does the company website have any code freeze dates, where no changes to the website can be made?
- Is there a deadline by which any new code should be added to the company systems to comply with the January 1, 2020 deadline?
- What is the budget for CCPA work and does the company have adequate expertise and time in-house to complete the work?
- How can any overruns on the budget be justified to management?
In addition to the privacy compliance and legal teams who will need to work with IT on many of the issues listed above, the third party risk or procurement team is another critical stakeholder. How many of the company’s third party agreements meet the definition of “sale” under CCPA or the new Nevada law, which goes into effect on October 1, 2019? Much like how GDPR has required data processing addendums, CCPA will require service provider agreements to be modified to meet CCPA’s data usage restrictions. For business areas that might be most impacted, be sure to ask the Marketing department about any “data onboarding” agreements or joint partnerships the company might have or plans to have in the next year.
Given the sweeping nature of the work that is necessary to be completed before January 1, do you still think “wait and see” is the right approach? Many organizations are conducting risk assessments now, weighing the potential impact of these new legal requirements, and engaging in risk acceptance discussions. A meeting of the minds on the gaps and the risks to be accepted is recommended so that there are no surprises when an organization is faced with litigation, regulatory inquiries or third party claims.
Our other CCPA articles:
Article 1: Summary of CCPA’s major provisions
Article 2: CCPA covered entities
Article 3: CCPA definition of personal information
Article 4: CCPA disclosure requirements
Article 5: CCPA “Right to Deletion”