The California Consumer Protection Act
(CCPA) becomes effective on January 1, 2020. However, with the bevy of proposed amendments aiming to modify and clarify the law, it can feel like compliance obligations are a moving target. Even with this uncertainty, there are steps organizations can take now to ready themselves for the CCPA before its final form goes into effect.
Unsure whether the CCPA applies to your organization? Read our previous article or watch our webinar on the topic for more information.
How to Prepare
In anticipation of CCPA enactment, organizations subject to the CCPA should take the following steps.
Map Your Data.
Understanding the personal information your organization collects, retains, and shares is a critical first step in assuring CCPA readiness. You should be able to answer the following questions:
Review Your Current Security Controls.
- What personal information does your organization collect from California consumers?
- How does it collect this information and from what sources?
- Where and how is the information stored?
- With whom is the information shared?
- Why is the information shared (e.g. provision of services, a “sale”)?
The CCPA currently allows individuals to seek damages if certain personal information is breached as a result of an organization’s failure to utilize reasonable security practices and procedures. Now is the time to review and update your data security and privacy policies and practices to help mitigate the risk of a data breach and subsequent action.
Develop a Process for Handling Requests
. The CCPA requires organizations to respond to individual requests about their personal information within 45 days, free of charge. Given the short response window, you should develop procedures for responding to these and establishing when to deny such requests. Specifically, CCPA gives individuals the right to:
Update Your Vendor Agreements.
- Request a copy of their personal information.
- Find out what categories of their personal information are being sold or shared with third parties.
- Request that their personal information be deleted.
- Request to opt out of the sale of personal information (or opt into the sale if the individuals is younger than 16).
To avoid having data transfers classified as a “sale” of information, organizations need to ensure their agreements with third parties and even affiliated entities meet certain CCPA requirements. You should update your current agreements (or create new agreements if they are not already in place) with any organization with whom you share personal information. Specifically, you should have contractual language in place in which these organizations certify that they will not retain, use or disclose personal information for any purpose other than the specific purpose of performing the services specified in the contract.
Ready Your Website.
- The types of personal information you collect;
- How you collect the information;
- With whom you share the information;
- Whether or not you sell personal information (and, if so, how individuals can opt out of the sale); and
- How individuals can exercise their rights under the CCPA, including two or more designated methods for consumers to submit requests (at a minimum, a toll-free telephone number and a Web site address).
In addition, if you sell personal information, you will need a clear, conspicuous link on your homepage (or on the homepage for California consumers), titled “Do Not Sell My Personal Information” that takes consumers to a page where they can opt out of the sale as well as a mechanism for obtaining appropriate consent to the sale of information of any individual under the age of 16.
Train Your Employees.
Finally, begin training your employees on the key aspects of the CCPA, how to respond to individual requests, and the importance of following the organization’s data privacy and security policies and procedures.
We’re Here to Help
For assistance with CCPA compliance or questions about the CCPA generally, please contact Norbert Kugele
, Kelly Hollingsworth
or any other member of the Cybersecurity and Privacy Practice Group at Warner Norcross + Judd.