As we all know, the CCPA went into effect on January 1, 2020 and with it, a robust privacy law was official in the US. While the private right of action has been available to consumers since then, the Attorney General (AG) has been on deck warming up for the enforcement date of July 1, 2020, and also feverishly crafting the final regulations which are still being reviewed by the California Office of Administrative Law.
Now that the AG has enforcement powers (this came to be on July 1, 2020 even without final regulations), it will be interesting to see what the areas of focus are. The AG commented that breaches will certainly be an area, but what is next? Access rights or notice requirements? Time will tell.
The majority of businesses took one of two approaches towards compliance with the CCPA:
- Wait and See
- July 1 Readiness
However, there is a third boat: those businesses that were completely ready to go on January 1. Based on the lack of a final regulation, as well as all of the amendments, that boat is much smaller, so we will briefly cover what we believe the majority of businesses are currently facing. For more in-depth information, our CCPA Playbook provides several recommendations and tips for implementing a holistic CCPA privacy program.
The Wait and See Approach
If your business has taken the Wait and See approach, it is time to get started. We recommend focusing on the following tasks to develop a process to receive and review consumer privacy requests.
Consumer Privacy Requests:
- Right to Know
- Right to Delete
- Right to Opt-Out of Sale
Businesses must provide two mechanisms in which a person can make these requests, including a toll-free number and website address. Businesses must set up a centralized method to receive these requests and review them as they are received. This can include a task force and manual approach in the beginning until the business can operationalize how these requests will be honored. Be mindful that confirming receipt is required within ten business days, and the request must be honored within 45 calendar days, with a 45-day extension being available in certain circumstances. I caution against using the 45-day extension as an automatic 90 days to honor the request, as this not the intent of the regulation.
Once the ad hoc process is in place for facilitating privacy rights, ensure the business trains any employees that will be responsible for, or could receive a consumer privacy request, on the escalation and review processes. Further, having templated confirmation letters on hand can assist with saving time and ensuring you confirm receipt of any requests within the 10-day timeframe.
- Must be updated every 12 months
- Must notify the consumer of how to exercise rights (outlined above)
- Must provide a toll-free number and web page to submit privacy requests
- Must inform the consumer of the right to stop the sale of personal information
- Must inform the consumer of the categories of personal information collected
- Must inform the consumer of the purposes of collection
- Must inform the consumer of the types of third parties with which the personal information is shared
- Must inform the consumer of the business purpose of sharing the personal information
- Must inform the consumer of the categories of third parties to which the personal information is sold
The July 1 Readiness Approach
The second approach (readiness for the July 1 enforcement date) allows businesses to begin considering how they will test their program. Here are some items that should be audited on a regular basis:
- Vendor contracts and their role under the CCPA as it pertains to your organization
- Inventory accuracy
- AdTech function and the cookies/trackers on your website
- Consumer privacy requests
- Written breach notice escalation procedures
- Technical and security controls (enlist your IS team and get insight into this side of the business)
- Privacy awareness training effectiveness and accuracy
When auditing the program, ensure that you maintain records of the results and records of any remediation steps taken. Further, these records should indicate where business decisions were made, if possible. Documenting how you remediated items will assist in avoiding an assertion that a violation was willful.
A privacy program is not a set-it-and-forget-it exercise and will need to be monitored to ensure it is effectively meeting the requirements under the CCPA and any other privacy requirements your business may have. While the CCPA is the start, other states continue to propose privacy legislation and will likely pass their own version of the CCPA soon enough.