March 12, 2019
What does CCPA stand for, and what is it?
The California Consumer Privacy Act of 2018 (CCPA) is a sweeping new consumer privacy law that will impact many businesses not only in the State of California but throughout the United States. The CCPA regulates how companies handle personal information and grants California consumers new rights to access and delete their data while placing restrictions on entities that collect, store, and sell Californians’ personal information. The law goes into effect on January 1, 2020. (For a full overview of the CCPA, click here.)
What is CCPA Compliance? The Road to Compliance
To determine whether the CCPA applies to your company or organization, you should perform a CCPA assessment to see what steps will be necessary to comply with the requirements. The CCPA requires that regulated companies handle and protect the personal information of California residents by: (1) providing specific types of disclosures to consumers, (2) accepting and processing consumer requests, (3) creating a consumer opt out for the sale of personal data, and (4) providing privacy training to employees. As part of the assessment step, a company should consider what kind of data it collects, how it collects the data, what it does with the data, and what disclosures, if any, it already has in place.
The SixFifty CCPA Applicability quiz can help your organization determine whether the new privacy laws will apply to you. Consulting an attorney is also recommended.
2. Create a Data Map
Even before the CCPA regulations go into effect in 2020, your organization should begin mapping where and how the personal information of California residents is collected, stored, transmitted, and sold. The CCPA requires that organizations be able to find, and in some cases, delete, specific pieces of personal information they have gathered during the preceding 12 months. To do that, organizations need to know where they have stored the personal information of California residents and with whom they have shared it.
In some instances, your organization may be required to not only delete that information from your own systems but also direct your partners, affiliates, and service providers to do the same. Creating a data map for personal information is a technical process that SixFifty can help you with using its automation tools.
3. Third-Party Contracts
Your organization should also start reviewing its contracts with companies and individuals with whom your organization shares personal information to ensure that those contracts contain the terms and conditions required by the CCPA. In some cases, your organization may need to renegotiate your existing contracts. Moving forward, you organization should plan to include CCPA-required terms in any new contracts that involve the sharing, transfer, or sale of personal information. SixFifty Privacy can provide you with automation tools for the creation of these contract terms and with updates should the California rules change.
4. Privacy Notice
Your organization should have a privacy notice on its website, in accordance with this new policy. Before an organization collects information from California consumers, it must explain: (1) what personal information the organization collects, (2) who the organization collects that data from, (3) the purpose for collecting the data, and (4) who the organization shares the data with or sells the data to. The CCPA requires that organizations disclose this information online.
The privacy notice must also disclose the rights of California consumers under the CCPA, including the right to opt-out of the sale of their personal information, which is broadly defined under the CCPA. The notice must be accessible from your organization’s homepage, as must the opt-out option (in the form of a “clear and conspicuous link”) for those consumers who do not want their information sold.
5. Request Management
Your organization will need a system to collect, track, and respond to requests from California residents to access or delete their personal information. The CCPA gives California residents the right to request that organizations: (1) grant them access to their data, (2) delete their data, and (3) provide them with information about how their data is being used. Organizations must respond to these requests within 45 days.
There are several broad categories of exceptions for situations in which the business will not have to honor deletion requests. However in order to be compliant, organizations must honor requests that their data not be sold. The CCPA does not include any exceptions to the right of the consumers to opt-out.
Therefore, your organization should have a system to collect and track the names of consumers who do not authorize you to sell or share their personal information. For compliance purposes, it is important that companies or organizations keep an accurate list of those names to ensure that it does not sell the personal information of those consumers and that it does not request their permission to sell their information for at least 12 months after they opt out.
6. Internal Policies and Training
Your organization should have policies and procedures for its employees regarding how to comply with CCPA compliance requirements. If your organization is ever investigated for noncompliance or a data breach, your policies and procedures may help demonstrate and defend your efforts to meet CCPA requirements. It is therefore important that those procedures not only be written down but that your organization implements and follows the procedures.
Your organization should inform its employees about compliance requirements and provide privacy training before the CCPA becomes effective. As legal requirements and internal processes change, organizations will need to periodically update their training, even after the law takes effect, as they update their handling of data, contracts, policies and procedures, and privacy notices.
7. Effective Date
The CCPA goes into effect on January 1, 2020. With few exceptions, organizations that handle the personal information of California residents must be prepared to comply with the CCPA by that date or risk severe penalties. Although enforcement by the AG will not begin until July 1, 2020, consumers’ private right of action becomes immediately effective on January 1.
Determining the exceptions that do and do not apply to your organization’s treatment of consumer data and identifying how to come into compliance with the CCPA requires that you do a thorough analysis of: the personal information you take in and share, the processes by and business purposes for which you handle and potentially share personal information, and where specific pieces of personal information are shared. The CCPA is a complicated law that is still undergoing review by the California Attorney General and others, so it is important to remain engaged and watch for updates to this important law.
***DISCLAIMER: This publication has been prepared by SixFifty, LLC to provide information of interest to our readers regarding the California Consumer Privacy Act. It is not intended to provide legal advice for a specific situation or to create an attorney-client relationship. SixFifty, LLC does not provide legal advice.***
Written by Marie Kulbeth
Marie Kulbeth is a Co-Founder and General Counsel of SixFifty, and the co-director of BYU LawX, a legal design lab dedicated to solving access to justice problems. She works to make the law straightforward for everyone, regardless of education level or income. Marie keeps her passion for equitable, accessible legal services at the forefront of her career. Her role as...
Full Bio and other articles by Marie Kulbeth