Don’t wait to implement your California Consumer Privacy Act (CCPA) compliance. California’s new privacy law goes into effect January 1, 2020. Consumer lawsuits are expected to follow shortly after implementation. CCPA can apply to businesses without offices or employees in California. It can also reach activities conducted outside of California. 

1. Delegate CCPA compliance oversight to a knowledgeable employee or team   

Identity key business stakeholders; assemble multidisciplinary team; engage legal counsel to assist as needed

2. Maintain and regularly update a business-wide privacy policy

Map data collected by your business (including how it is used and where it resides); implement processes to provide consumers with required information about collection and use of their personal information; document how and why the privacy policy is aligned with legal requirements; appropriately disclose the privacy policy to the public.

Note: CCPA applies to all personal information of California consumers and not only data collected online

3. Implement and maintain reasonable security practices    

Identify internal or external resources for information technology and data security; determine any contractual information security requirements; consult with others in industry or sector to determine best practices for securing information collected, stored or used by the business; regularly review internal information security practices and document them; prepare a data breach notification plan; conduct table-top exercises to simulate data breach response 

4. Maintain procedures to respond to requests for access to personal data and specific pieces of information    

Document consumer verification process and how it is aligned with legal requirements; document work flows showing internal procedures are followed; implement templates for customer service communications; audit files and processes to ensure internal policies are followed; log and track requests from consumers and retain copies of responses   

5. Maintain procedures to respond to requests to delete personal information     

Establish protocols for responding to such requests in a timely and effective manner; identify data within any applicable exception to deletion on which your business relies and how long it can or should be retained; audit files and processes for legal compliance

6. Maintain procedures to respond to requests to opt-out of sale of personal information     

Provide consumers with appropriate notice that their personal information is being sold, if applicable, and implement processes to respond to and honor requests to opt-out to such sale; audit processes for legal compliance

7. Update vendor contracts to comply with CCPA and avoid being characterized as “selling” personal information to vendors    

Identify vendors or third parties that receive personal information from your business and include appropriate contract terms to address CCPA requirements; make vendor or third party aware of your business’s privacy policy and their obligation to comply with it, if any; diligence vendors and their privacy and data security practices, as appropriate

8. Maintain procedures for collection and use of personal information of minors (as applicable)    

Obtain appropriate opt-in consent with respect to persons 16 or younger whose personal information is sold

9. Conduct appropriate privacy training for personnel depending on their job function    

Offer appropriate training to personnel; require personnel to participate in privacy and security training; prepare templates and scripts for personnel responding directly to consumers’ requests under CCPA; document how compliance of personnel is evaluated or checked

10. Assess affiliates’ need to comply with the CCPA and implement family-wide compliance if necessary    

The affiliates of a business subject to the CCPA may all come under the CCPA where they all do business under a common brand; pro-actively determine whether compliance with the CCPA can be limited to one or more specific companies in a family of companies and take appropriate actions based on the outcome of the review

The CCPA is a complex law, and this overview does not substitute for considering CCPA requirements in their entirety. The CCPA, while a comprehensive privacy law, does not supplant other California or other state privacy laws. Don’t lose sight of other privacy obligations in the U.S. as you navigate CCPA compliance for your business. 


Womble Bond Dickinson (US) LLP communications are intended to provide general information about significant legal developments and should not be construed as legal advice on any specific facts and circumstances, nor should they be construed as advertisements for legal services.