Originally published January 2019.
While the enforcement date for the California Consumer Protection Act (CCPA) may seem to be far the future, it’s never too early to develop a readiness plan and begin implementing changes. Even though the California law is less complex than GDPR, adequate preparation still requires more time and effort than some purveyors of checklists or “CCPA compliance made easy” products might have you believe.
In our discussions with businesses impacted by CCPA, we notice that many are on top of the high-visibility requirements, such as updating privacy policies and adding a “do not sell my personal data” link to websites. However, some less-talked-about aspects of the law seem to be off their radars. As you develop and implement your organization’s CCPA readiness plan, here are three often overlooked but vitally important questions to keep in mind.
1. Are we architected to respond when residents exercise their CCPA rights?
CCPA confers six rights on California residents:
- The right to request information about personal data collected
- The right to access personal information in a portable format
- The right to request deletion of personal information
- The right to request disclosure of categories of personal information a business sells or discloses
- The right to opt out of the sale of personal information
- The right to equal service and price, regardless of whether they exercise their privacy rights
Many companies affected by CCPA are planning to update their policies and procedures to accommodate California residents exercising their rights once the law goes into effect. One question some overlook is the “how” behind the “what” — how will their data architectures support prompt fulfillment of those data subjects’ requests?
For example, say that after CCPA goes into effect, “Albert Einstein” contacts you to request erasure of his personal information. Your first step is to validate that the request actually came from Albert Einstein, and then your data architecture must enable your organization to:
- Find his personal information
- Delete the information
- Document the deletion
- Confirm that you’ve deleted all instances of his personal information
Even though the California Attorney General’s general enforcement of CCPA won’t begin until July 2020 (or six months after publication of the final regulations, whichever is sooner) per the CCPA revision bill SB 1121, residents may still contact you with requests for access, erasure, etc. beginning on the law’s effective date, and you need to be ready.
As you might imagine, making the necessary changes to your data architecture is not something you can accomplish in the months before CCPA takes effect. This effort takes careful planning and mindful execution, so the sooner you can get started, the better off your organization is likely to be.
2. Can we accommodate the 12-month lookback requirement?
Keep in mind that transparency is key to CCPA readiness. This means that companies have to be prepared to disclose not only types of personal information collected and used, but also to whom it has been disclosed. One clause in the CCPA that seems to attract little attention is Section 1798.130, which specifies that businesses must respond to data subjects’ requests for disclosure with information on activity from the preceding 12 months.
Returning to our example above, if Mr. Einstein calls in January 2020 to ask for the categories of his personal data that you disclosed to third parties, you must provide information on all that activity going back to January 2019.
Responding to these requests appropriately requires a comprehensive tracking system for all sales and disclosure of personal data. Putting those capabilities in place now will save you the hassle of having to retrofit a solution if you wait until just before the enforcement date.
3. Is CCPA training part of our readiness plan?
One of the key differences between CCPA and GDPR is that, unlike the European law, CCPA specifies an obligation to ensure proper training of employees. Section 1798.130(a)(6) states that a business shall “…ensure that all individuals responsible for handling consumer inquiries about the business’ privacy practices or the business’ compliance with this title are informed of all requirements in Sections 1798.110, 1798.115, 1798.125, and this section, and how to direct consumers to exercise their rights under those sections.”
While training may not be on your radar, it’s important that you include it in your plan.
As your organization puts the pieces in place to prepare for CCPA, addressing the more prominent aspects of compliance is just the beginning. If you’re uncertain what your readiness strategy might be missing, or if you need some help with planning or execution, just give us a call.
Like what you see?
Executive Team member Jill Reber is a nationally recognized expert on data privacy — particularly GDPR, CCPA, and other data protection laws — and has spoken on the topic at conferences sponsored by American Banker, International In-House Counsel Journal, and other national and international organizations.
Executive Team memberKevin Moos is recognized for his experience with knowledge management systems. He has lent his expertise to several prestigious industry panels on enterprise content management and other topics.