7 Steps to Comply with the CCPA

Christopher Champine, Benjamin Ebbink, Darcey Groden, Anthony Isola, Usama Kahf, Anne Yarovoy Khan, Jenna Rogenski
Fisher Phillips
Contact
LinkedIn
Facebook
X
Send
Embed

Fisher Phillips

Getting into compliance with the California Consumer Privacy Act (CCPA) can seem like an overwhelming task. After all, the law is comprised not only of a dense statute and detailed regulations, but the amendment effective January 1, 2023 has added to the complexity by removing the exemptions for data collected in the employment and B-2-B contexts. But there’s good news. Businesses subject to the law can take the below seven steps to achieve full compliance.

A word of caution, however. These compliance steps can take six to twelve months to complete, and are best handled by working closely with data privacy counsel.

1. Inventory and map all consumer data, including employee and job applicant data.

Understand pertinent defined terms such as what is “personal information” and “sensitive personal information,” who is a California “consumer” (including employees and job applicants), and what constitutes “collection” under the regulations to frame the scope of any data inventory or mapping exercise.

  • Consider the various sources, channels, or points at which you collect data from a consumer, and at what date and time the collection occurs.
  • Evaluate the business purpose for which you collect and process any information, and with whom it is shared. Are there any service providers or third parties (as these entities are defined in the regulations) who store or process any consumer data on your behalf?
  • Identify the location in which data is stored and who has access to the data, and determine applicable retention periods for each category of personal and sensitive personal information collected.

2. Take appropriate steps to secure all consumer and employment-related data.

In support of the obligation to secure consumer data, you may be required to conduct an annual security assessment depending on risk factors and sensitivity of the data you collect or maintain.

  • The implementation of reasonable security procedures and practices may include a review of any cyber and/or information security policy(ies) and incident response plans.
  • Any security review should evaluate the security measures of service providers, contractors and third parties and include updating agreements to comply with CCPA requirements.

3. Prepare and provide a “notice at collection” to all consumers (including employees and job applicants) at or before collecting any consumer data.

Review the content requirements for the Notice at Collection and update for compliance with the CCPA regulations effective March 29, 2023.

  • Evaluate where data is collected (for example online, in-person, or telephonically) and ensure the Notice at Collection is available at such location.
  • Make sure you distribute the notice to job applicants as well as new and current employees.

4. Prepare and post a comprehensive privacy policy on your website.

  • Make sure it includes more than just the Notice at Collection, providing employees with a privacy policy pertaining to all employment-related data explaining how they can exercise their CCPA rights. 
  • Ensure the privacy policy includes all required content under by the CCPA, including, but not limited to, whether any data is sold (which includes any sharing of data with a third party that is not a “service provider” in exchange for valuable consideration).

5. Deploy a process to receive and respond to consumer requests from all consumers (a process referred to by many privacy practitioners as DSR or data subject request, although the term is not used in the CCPA).

Implement a consumer request process that can address all the types of requests a consumer can make under the CCPA, including, but not limited to, the right to know, request to delete, request to correct and the request to opt out of the sale of personal information. Since January 1, 2023, consumers can submit a request to correct information and request to limit the use or disclosure of sensitive personal information.

  • You must implement at least two methods for CCPA requests and adhere to strict response deadlines.
  • In addition, you must implement a verification process to verify the identity of the person making a request.

6. Implement data minimization rules.

This includes a data retention policy and workflow for purging stale data for which there is no legal or business reason to keep.

7. Train all managers and employees on all CCPA requirements in which they play any role.

This may include those responsible for CCPA compliance and anyone directly interacting with consumers and providing information, notices, and forms, or assisting with the business’s response to any CCPA request.

Conclusion

Compliance with consumer privacy laws is not a matter of distributing templates that are turnkey or “plug and play.” Rather, compliance is an ongoing and individualized process, and all the requisite forms, templates, notices, and policies must be tailored for your business.

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Fisher Phillips | Attorney Advertising

Written by:

Fisher Phillips
Fisher Phillips
Contact
more
less

Fisher Phillips on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide