The CCPA is in Effect… NOW What?

The holidays are supposed to be a time of rest and relaxation. That was not the case, however, for businesses and professionals preparing for the California Consumer Privacy Act, or CCPA.

Businesses are expected to be compliant with the CCPA given that it went into effect on January 1, 2020. While not enforceable until what is looking to be a July 1, 2020 date by the AG, businesses should still be making strides to comply and begin meeting all of the requirements as outlined under the CCPA.

For businesses that have taken the wait and see approach, here are some things we recommend getting in place. Some of these could serve as a patch or ad hoc process until the formal privacy program is up and running, so don’t feel overwhelmed by the tasks before you.

Reach out for support from company leadership, preferably at the executive level. Several big decisions will need to be made during your CCPA compliance journey, and the sooner someone with the authority to approve such decisions gets involved, the better.

Establish a task force of stakeholders for the privacy project. This task force should include an executive sponsor and representatives from Legal, Human Resources, Marketing, Website, and IT/S at a minimum. This will help set the direction of the project and should assist with establishing the businesses appetite for risk and high-level project plan. 

Next, the business should develop ad hoc procedures for the following:

Receiving and reviewing consumer privacy requests: 

• Right to Know
• Right to Access
• Right to Delete
• Right to Opt-out of Sale

Businesses must provide two mechanisms in which a person can make these requests including a toll-free number and website address. Set up a method to receive these requests and review them as they are received. This can include a task force and manual approach in the beginning until the business can operationalize how these requests will be honored. Be mindful that confirming receipt is required within 10 days and the request must be honored within 45 days, with a 45-day extension being available in certain circumstances. I caution against using the 45-day extension as an automatic 90 days to honor the request as this not the intent of the regulation. 

Once the ad hoc process is in place for facilitating privacy rights, ensure the business trains any employees that will be responsible for or could possibly receive a consumer privacy request on the escalation and review processes. Further, confirmation letters can assist with saving time and businesses must confirm receipt within 10 days of receiving the request. 

While this temporary informal process is in place, begin planning how the business will solve for consumer privacy requests in the long run. Review your current systems, maybe even current processes your organization has in place to honor GDPR rights requests. Don’t reinvent the wheel if you don’t have to. If there is a way to automate any of the rights review process, such as through automatic assignment through a ticketing system when a rights request is received, this will greatly increase your organization’s ability to not only meet the 45-day timeframe, but also track the steps taken internally to prove compliance with the regulation if complaints were to ever arise.

Next, and similar to the requests above, we recommend businesses have a process for receiving, reviewing, and following up with any consumers with regard to being notified of a personal data breach. This is the only area under this regulation that provides consumers with the ability to file a private right of action and notice from consumers should not be ignored as businesses have a 30-day window to respond.

If personal data types and sharing activities are limited, the business may feel comfortable with publishing an updated privacy policy with the required CCPA disclosures including the rights available to consumers, the categories of personal information collected, the purpose of the collection, and any sharing or selling activities. If the business has a complicated technical environment, numerous sharing activities, and multiple types of personal information, it may require a data mapping and inventory exercise to determine all of the disclosures. These exercises are time consuming but can be extremely beneficial to the business’s privacy program and can also be relied upon to set up future projects surrounding data retention, classification, cybersecurity, and future privacy laws. 

Now that some of the high-risk CCPA areas are established for your privacy program at the ad-hoc level, the focus should move towards expanding compliance goals to include:

• Ensuring privacy policies/notice requirements are met
• Researching and obtaining an appropriate Information Security Framework Certification
• Performing a data mapping and data inventory exercise 
• Formalize consumer privacy request processes
• Defining third parties and service providers to help determine if the business is “selling” data
• Establishing a monitoring program that assists with demonstrating compliance with the CCPA and other privacy obligations.

If you’d like more information or to discuss your organization’s privacy obligations or CCPA approach, please contact us at Connect@CompliancePoint.com.