60 Days Until The CCPA Goes Into Effect: Are You Ready?

Husch Blackwell LLP

Saturday, November 2, will mark 60 days until the California Consumer Privacy Act (CCPA) goes into effect. While each organization will have its unique compliance challenges, there are a discrete set of tasks – at a minimum – that each organization needs to undertake in the next 60 days as the first steps toward compliance.

1) Analyze: Does the CCPA apply to your organization?

The CCPA’s scope is incredibly broad but not limitless. As a threshold matter, organizations should analyze whether the CCPA’s definition of “business” covers their organization.

2) Inventory: Do you know what personal information flows into and out of your organization?

At its core, the CCPA requires organizations to disclose the types of personal information that they collect, the purpose for that collection, and whether that personal information is shared with other entities. Understanding how data flows in, out and within your organization is an indispensable step in the compliance process and will allow you to prepare consumer notices and respond to consumer requests. The inventory process can be streamlined by using Husch Blackwell’s CCPA Data Inventory Tool.

3) Prepare: Have you prepared consumer-facing disclosures?

Organizations subject to the CCPA will need online privacy policies by January 1 that comply with the numerous new and complex requirements. A notice at point of collection and a notice of right to opt-out may also be required. Given that these notices need to be posted online, organizations will need to make sure that the notices and the technology to present them is up and running by January 1 (or risk a public showing of non-compliance).

4) Create processes: Can you respond to consumer requests?

As of January 1, organizations subject to the CCPA must provide California residents a mechanism to submit requests to delete their information and/or access specific pieces of personal information that organizations are holding. California residents may also submit requests to opt-out of an organization’s sale of personal information to third parties. The CCPA and the California Attorney General’s proposed regulations have specific requirements on how these requests must be received, how organizations must verify the identity of an individual making certain types of requests, and how organizations must respond to those requests. These specific requirements need to be integrated before January 1 so that organizations can timely respond to these requests. Organizations also need to make sure that they provide CCPA training to relevant employees.

5) Update agreements: Have you secured data-sharing agreements with service providers?

The CCPA draws a sharp distinction between personal information that is shared with “service providers” and personal information that is shared with “third parties.” Organizations should review data transfers to determine whether the recipients should be classified as service providers or third parties and the legal implications of those designations. For any entity that can be classified as a service provider, organizations will need to enter into CCPA compliant data-sharing agreement with those entities.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Husch Blackwell LLP | Attorney Advertising

Written by:

Husch Blackwell LLP

Husch Blackwell LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.