Skip to Main Content
Publications
Publications | July 9, 2019
3 minute read

Preparing for the California Consumer Privacy Act (CCPA)

The California Consumer Protection Act (CCPA) becomes effective on January 1, 2020.  However, with the bevy of proposed amendments aiming to modify and clarify the law, it can feel like compliance obligations are a moving target. Even with this uncertainty, there are steps organizations can take now to ready themselves for the CCPA before its final form goes into effect.
 

     
    Review Your Current Security Controls. The CCPA currently allows individuals to seek damages if certain personal information is breached as a result of an organization’s failure to utilize reasonable security practices and procedures. Now is the time to review and update your data security and privacy policies and practices to help mitigate the risk of a data breach and subsequent action.
     
    Develop a Process for Handling Requests. The CCPA requires organizations to respond to individual requests about their personal information within 45 days, free of charge. Given the short response window, you should develop procedures for responding to these and establishing when to deny such requests. Specifically, CCPA gives individuals the right to:
     

       
      Update Your Vendor Agreements. To avoid having data transfers classified as a “sale” of information, organizations need to ensure their agreements with third parties and even affiliated entities meet certain CCPA requirements. You should update your current agreements (or create new agreements if they are not already in place) with any organization with whom you share personal information. Specifically, you should have contractual language in place in which these organizations certify that they will not retain, use or disclose personal information for any purpose other than the specific purpose of performing the services specified in the contract. 
       
      Ready Your Website. Given the pending bills that are working through the California legislature to revise the CCPA, it may not be advisable to update your website until the legislature’s session ends in mid-September. However, you should determine ahead of time whether to develop a California-specific landing page or integrate CCPA requirements into your general website. Furthermore, you will need to update (or develop) your website privacy policy so that it clearly details all of the following: 
       

         
        In addition, if you sell personal information, you will need a clear, conspicuous link on your homepage (or on the homepage for California consumers), titled “Do Not Sell My Personal Information” that takes consumers to a page where they can opt out of the sale as well as a mechanism for obtaining appropriate consent to the sale of information of any individual under the age of 16.
         
        Train Your Employees. Finally, begin training your employees on the key aspects of the CCPA, how to respond to individual requests, and the importance of following the organization’s data privacy and security policies and procedures.
         
        We’re Here to Help
        For assistance with CCPA compliance or questions about the CCPA generally, please contact Norbert Kugele, Kelly Hollingsworth or any other member of the Cybersecurity and Privacy Practice Group at Warner.