If your company is not ready for the California Consumer Privacy Act (the “CCPA”), you are in good company. According to one recent survey, 56% of companies polled will not be able to meet the California Consumer Protection Act’s requirements when the law goes into effect January 1, 2020.1
But even if you can’t be ready by January 1, there is no reason not to get going. As the Chinese proverb says, “The best time to plant a tree is twenty years ago. The second best time is now.”
If you have determined that your business must comply with the CCPA, here is a list of action items that will help you get ready:
1. Understand the “big picture” of the CCPA.2
The main point of the law is to establish that California residents have:
- the right to know what personal information is collected about them and to whom that information is sold/disclosed,
- the right to access their personal information and, sometimes, have it deleted,
- the right to opt out from sales of their personal information and
- the right not to be discriminated against for exercising their privacy rights.
Although the title of the law makes it sound like it is aimed at the retail/“consumer” context, it is not that limited. Under the CCPA, “consumer” means “a California resident.” Essentially, the CCPA is a comprehensive privacy regime—similar to the GDPR in Europe—that benefits the residents of California and makes covered businesses responsible for not only respecting the rights established but actually notifying California residents of their rights and helping them exercise their rights.
2. Assemble a team and take a data inventory.
If you have never gone through the process of mapping your company’s data, this is the critical first step of any privacy compliance project. You need to be able to map the life cycle—from beginning to end—of the data at issue. For the immediate purpose of complying with the CCPA, you will want to identify the who, what, when, where, how, and why of data that relates to California residents:
- What kinds of personal data does the company have regarding California residents (data contained in email, employee/HR records, customer lists, etc.)?
- What are the points of collection? Where does the data come from? Emails? Online forms? Product orders? Phone calls? Lists from affiliates or third parties?
- What are the sources for the data?
- Can the California-related data be segregated from the other data?
- What systems/servers/platforms/devices hold the data?
- Who has access to those systems/servers/platforms/devices?
- How is the data secured?
- Why is the data collected? How is it used? For what purposes?
- Is the data disclosed, shared, sold or otherwise made available to any third party?
- Under what circumstances? To what third parties? For what purposes?
- Are the third parties under any contractual obligations with respect to how they handle the data?
- What privacy, information security and document retention policies are used by the company? When are they reviewed, monitored or tested?
3. Decide whether to take a California-specific approach.
Once you know how much personal information your company holds about California residents and how easy/difficult it will be to treat that data differently from other data, you will need to decide whether you want to take a California-specific approach or an across-the-board approach. Of course, the requirements of the CCPA only apply to the personal information of California residents. (Even if the business is located in California, the business need only comply with the CCPA for the personal information of California residents). In many cases, it will make sense to identify and segregate the California-specific personal information held by the company so that the new CCPA-compliant policies and procedures will apply only to that data. On the other hand, if a large part of your business is in California or if data segregation will be complicated, you may decide that it will be easier and cheaper in the long-run to apply the principles of the CCPA across-the board—regardless of consumer domicile.
4. Determine if your company “sells” California residents’ personal information and if so, whether it really wants to continue.
For some businesses, selling data is an important part of the business model. The monetization of data is the lifeblood of companies like Facebook and Google. But for many businesses, selling data is just an additional revenue stream. If this is the case for your business, you probably want to consider whether that revenue stream is worth all the trouble presented by the CCPA. The most onerous and complex obligations of the CCPA apply to sellers of data. For example, “sellers” have to provide an opportunity for consumers to “opt out” of the sale of their data. The opt-out “button” (titled “Do Not Sell My Personal Information”) has to be conspicuously displayed on the company’s homepage. Does your company want to put that button on its home page? The personal information of children under age 16 is a different story. That data cannot be sold unless there has been prior opt-in consent.
For companies that want to sell personal information of California residents, the compliance requirements are going to be significant—and beyond the scope of this article. The easiest and cheapest way out of those obligations is to not sell data.
However, “sell” is broadly defined in the CCPA. It means “selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating . . . a consumer’s personal information . . . for monetary or other valuable consideration.” In order to confirm that your company is not “selling,” you need to make sure that the business is not receiving any “valuable consideration” in exchange for disclosure of personal information.
5. Determine what policies, processes, and tracking systems your company should implement in order to meet the CCPA’s obligations.
In order to determine what policies, processes, and tracking systems you will need to put in place, you need to understand the range of compliance obligations established by the CCPA. The charts below identify (a) the CCPA’s requirements for businesses and (b) suggested action items for meeting those obligations: