Skip to main content
A Better Partnership

Publications

Jul 2019
09
July 09, 2019

Preparing for the California Consumer Privacy Act (CCPA)

The California Consumer Protection Act (CCPA) becomes effective on January 1, 2020.  However, with the bevy of proposed amendments aiming to modify and clarify the law, it can feel like compliance obligations are a moving target. Even with this uncertainty, there are steps organizations can take now to ready themselves for the CCPA before its final form goes into effect.
 
Unsure whether the CCPA applies to your organization? Read our previous article or watch our webinar on the topic for more information. 
 
How to Prepare
In anticipation of CCPA enactment, organizations subject to the CCPA should take the following steps.
 
Map Your Data. Understanding the personal information your organization collects, retains, and shares is a critical first step in assuring CCPA readiness. You should be able to answer the following questions:
 
  • What personal information does your organization collect from California consumers?
  • How does it collect this information and from what sources?
  • Where and how is the information stored?
  • With whom is the information shared?
  • Why is the information shared (e.g. provision of services, a “sale”)?
 
Review Your Current Security Controls. The CCPA currently allows individuals to seek damages if certain personal information is breached as a result of an organization’s failure to utilize reasonable security practices and procedures. Now is the time to review and update your data security and privacy policies and practices to help mitigate the risk of a data breach and subsequent action.
 
Develop a Process for Handling Requests. The CCPA requires organizations to respond to individual requests about their personal information within 45 days, free of charge. Given the short response window, you should develop procedures for responding to these and establishing when to deny such requests. Specifically, CCPA gives individuals the right to:
 
  • Request a copy of their personal information.
  • Find out what categories of their personal information are being sold or shared with third parties.
  • Request that their personal information be deleted.
  • Request to opt out of the sale of personal information (or opt into the sale if the individuals is younger than 16).
 
Update Your Vendor Agreements. To avoid having data transfers classified as a “sale” of information, organizations need to ensure their agreements with third parties and even affiliated entities meet certain CCPA requirements. You should update your current agreements (or create new agreements if they are not already in place) with any organization with whom you share personal information. Specifically, you should have contractual language in place in which these organizations certify that they will not retain, use or disclose personal information for any purpose other than the specific purpose of performing the services specified in the contract. 
 
Ready Your Website. Given the pending bills that are working through the California legislature to revise the CCPA, it may not be advisable to update your website until the legislature’s session ends in mid-September. However, you should determine ahead of time whether to develop a California-specific landing page or integrate CCPA requirements into your general website. Furthermore, you will need to update (or develop) your website privacy policy so that it clearly details all of the following: 
 
  • The types of personal information you collect;
  • How you collect the information;
  • With whom you share the information;
  • Whether or not you sell personal information (and, if so, how individuals can opt out of the sale); and
  • How individuals can exercise their rights under the CCPA, including two or more designated methods for consumers to submit requests (at a minimum, a toll-free telephone number and a Web site address).
 
In addition, if you sell personal information, you will need a clear, conspicuous link on your homepage (or on the homepage for California consumers), titled “Do Not Sell My Personal Information” that takes consumers to a page where they can opt out of the sale as well as a mechanism for obtaining appropriate consent to the sale of information of any individual under the age of 16.
 
Train Your Employees. Finally, begin training your employees on the key aspects of the CCPA, how to respond to individual requests, and the importance of following the organization’s data privacy and security policies and procedures.
 
We’re Here to Help
For assistance with CCPA compliance or questions about the CCPA generally, please contact Norbert Kugele, Kelly Hollingsworth or any other member of the Cybersecurity and Privacy Practice Group at Warner Norcross + Judd.

NOTICE. Although we would like to hear from you, we cannot represent you until we know that doing so will not create a conflict of interest. Also, we cannot treat unsolicited information as confidential. Accordingly, please do not send us any information about any matter that may involve you until you receive a written statement from us that we represent you.

By clicking the ‘ACCEPT’ button, you agree that we may review any information you transmit to us. You recognize that our review of your information, even if you submitted it in a good faith effort to retain us, and even if you consider it confidential, does not preclude us from representing another client directly adverse to you, even in a matter where that information could and will be used against you.

Please click the ‘ACCEPT’ button if you understand and accept the foregoing statement and wish to proceed.

ACCEPTCANCEL

Text

+ -

Reset