CCPA IS COMING: Things That You Can Do To Prepare
Earlier this week, I wrote about Microsoft’s recent announcement that it will apply the strictures of the California Consumer Privacy Act (CCPA) across the entire United States. This decision promises to remap privacy policy across the country, because CCPA creates a host of new data privacy obligations for companies that do business in California, and by extension, in the US. The CCPA goes into effect on January 1, 2020, and includes comprehensive disclosure requirements, provides consumers with extensive rights to control how their personal information is used and shared, imposes statutory fines, and allows individuals to sue over certain violations. I believe that it will dramatically alter how U.S.-based companies collect and process data.
Why not just “wait and see”? CCPA includes a “12-month look back” provision requiring companies to respond to consumer inquiries about data collected or disclosed in the immediately preceding 12 months. This means that a response to a request filed in July 2020 will need to contain information dating back to July 2019. In order to be able to respond, you will likely need to undertake considerable preparation.
Who is subject to the CCPA? Not only California-based entities. Any company that is a for-profit business, collects and processes California consumers’ personal information and does business in the state (even remotely) is subject to CCPA if it (or an entity it controls or is controlled by and shares common branding with) meets any one of the following three thresholds:
• Generates at least $25 million in annual gross revenue; or
• Buys, sells, shares and/or receives the personal information of at least 50,000 California consumers, households or devices, per year; or
• Derives at least 50 percent of annual revenue from selling California consumers’ personal information.
SO, WHAT CAN YOU DO TO PREPARE?
1. Map your Personal Information
Ask yourself the following questions about the personal information your company collects and processes to map out key aspects of your data handling practices.
• What Personal Information do you collect?
• From where do you collect Personal Information?
• Where and how is Personal Information stored?
• What business units are involved?
• Is any Personal Information held by third-party providers?
• What protections are applied to this information?
• What do you do with the Personal Information?
• How long do you keep it? Why?
• With whom do you share it? And for what purpose?
• What financial incentives do you provide consumers?
2. Consider consumer rights
• Devise a process for handling the access and deletion requests of California employees
• Devise a process for handling access/deletion requests of consumers (customers)
• Consider opt-outs from sale of information
3. Review your incident response policies and procedures
• Do you have mechanisms and procedures in place to detect a security incident?
• Do you have an incident response plan?
• Do you have “go-to” external resources like outside counsel, external forensics and security professionals, external public relations, identity theft protection, call centers and others?
• Do you know the potential states/ jurisdictions involved?
• Do you know your contractual reporting obligations?
4. Conduct CCPA training for your team
5. Update your privacy notice, terms of service, and website
• Prepare California employee privacy notice
• Revise online privacy notice to account for new requirements
• Secure two methods of contact for the consumer rights
•Add “do not sell” option any time you collect consumer information
Do you have more questions? Let’s schedule some time.