A business subject to the CCPA should take the following steps to become compliant:
1. Map Your Data
Understanding the personal information your organization collects, retains and shares is a critical first step in assuring CCPA readiness. You should be able to answer the following questions:
What personal information does your organization collect from California consumers?
How does it collect this information and from what sources?
Where and how is the information stored?
With whom is the information shared?
Why is the information shared (e.g., provision of services, a “sale”)?
Because employee data and business-to-business contact information is carved out for 2020, you can prioritize your compliance efforts by first focusing on consumer data.
2. Review Your Current Security Controls
The CCPA allows individuals to file a lawsuit and obtain statutory damages if certain personal information is breached due to a business’s failure to utilize reasonable security
practices and procedures. Now is the time to review and update your data security and privacy policies and practices to help mitigate the risk of a data breach and subsequent litigation.
3. Develop a Process for Handling Requests to Exercise Individual Rights
Given the short, 45-day response window, you should develop procedures for responding to individual requests and establishing rules for when to deny such requests. Your process should also include appropriate methods to verify that the request comes from the data subject or from an authorized representative of the data subject, taking into account the nature of the information involved in the request. Although the CCPA does not allow you to require that an individual set up an account on your website to exercise his or her individual rights, recent amendments to the CCPA allow you to require that any individual who has set up an account must submit his or her request through that account. Furthermore, you should ensure your process allows for requests to be honored. For example, if an individual opts out of the sale of information, you must be able to implement that request throughout your business and with those vendors and affiliates with whom you have shared that information.
4. If You Sell Personal Information About Children Under Age 16, Develop an Opt-In Process
While adults can opt out of the sale of their information, the CCPA requires an opt-in process for children under age 16. Children who are at least 13 years of age can opt in for themselves, but parents must opt in for children under age 13.
5. Update Your Vendor Agreements
To avoid having data transfers classified as a “sale” of information, businesses need to ensure their agreements with third parties, and even affiliated entities, meet certain CCPA requirements. You will likely need to update your current agreements (or create new agreements if they are not already in place) with any organization that handles personal information about California residents on your behalf.
If you do not update these agreements before January 1, 2020, you may be deemed to be selling information, which implicates opt-out obligations (and opt-in obligations for children under age 16) and requires the use of the “Do Not Sell My Information” button.
6. Ready Your Website
The types of personal information you collect;
How you collect the information;
With whom you share the information;
Whether or not you sell personal information (and, if so, how individuals can opt out of the sale); and
How individuals can exercise their rights under the CCPA, including two or more designated methods for consumers to submit requests (at a minimum, a toll-free telephone number and a website address).
In addition, if you sell (or are deemed to be selling) personal information, you will need a clear, conspicuous link on your homepage (or on the homepage for California consumers), titled “Do Not Sell My Personal Information.” This link must take consumers to a page where they can opt out of the sale and where children under the age of 16 and parents of children under the age of 13 can opt into the sale.
7. Train Your Employees
Finally, begin training your employees on the key aspects of the CCPA, how to respond to individual requests, and the importance of following the organization’s data privacy and security policies and procedures.
The CCPA is a data privacy game-changer within the U.S. and it imposes significant obligations on a large swath of businesses. While the obligations and individual rights under the CCPA are similar to obligations and individual rights granted under the European Union’s General Data Protection Regulation (GDPR), the two laws are not identical and compliance with the GDPR does not mean you are automatically compliant with the CCPA. Thus, your business will still need to develop policies, disclosures and contractual provisions that are specific to the CCPA.
Non-compliance with the CCPA will be costly.
The California Attorney General is authorized to enforce the CCPA with penalties of up to $2,500 per consumer violation. Additionally, consumers whose data is the subject of a data breach can sue for between $100 and $750 per incident if the business failed to implement reasonable security procedures. The CCPA expressly voids any arbitration provision or class action limitation on this right. If your business meets the statutory thresholds noted above, compliance efforts should be started well in advance of January 1, 2020.
For more general information about the CCPA and to learn whether it applies to your organization, read “An Overview of the CCPA.”