Saturday, November 2, will mark 60 days until the California Consumer Privacy Act (CCPA) goes into effect. While each organization will have its unique compliance challenges, there are a discrete set of tasks – at a minimum – that each organization needs to undertake in the next 60 days as the first steps toward compliance.
1) Analyze: Does the CCPA apply to your organization?
The CCPA’s scope is incredibly broad but not limitless. As a threshold matter, organizations should analyze whether the CCPA’s definition of “business” covers their organization.
2) Inventory: Do you know what personal information flows into and out of your organization?
At its core, the CCPA requires organizations to disclose the types of personal information that they collect, the purpose for that collection, and whether that personal information is shared with other entities. Understanding how data flows in, out and within your organization is an indispensable step in the compliance process and will allow you to prepare consumer notices and respond to consumer requests. The inventory process can be streamlined by using Husch Blackwell’s CCPA Data Inventory Tool.
3) Prepare: Have you prepared consumer-facing disclosures?
Organizations subject to the CCPA will need online privacy policies by January 1 that comply with the numerous new and complex requirements. A notice at point of collection and a notice of right to opt-out may also be required. Given that these notices need to be posted online, organizations will need to make sure that the notices and the technology to present them is up and running by January 1 (or risk a public showing of non-compliance).
4) Create processes: Can you respond to consumer requests?
As of January 1, organizations subject to the CCPA must provide California residents a mechanism to submit requests to delete their information and/or access specific pieces of personal information that organizations are holding. California residents may also submit requests to opt-out of an organization’s sale of personal information to third parties. The CCPA and the California Attorney General’s proposed regulations have specific requirements on how these requests must be received, how organizations must verify the identity of an individual making certain types of requests, and how organizations must respond to those requests. These specific requirements need to be integrated before January 1 so that organizations can timely respond to these requests. Organizations also need to make sure that they provide CCPA training to relevant employees.
5) Update agreements: Have you secured data-sharing agreements with service providers?
The CCPA draws a sharp distinction between personal information that is shared with “service providers” and personal information that is shared with “third parties.” Organizations should review data transfers to determine whether the recipients should be classified as service providers or third parties and the legal implications of those designations. For any entity that can be classified as a service provider, organizations will need to enter into CCPA compliant data-sharing agreement with those entities.