Don’t wait to implement your California Consumer Privacy Act (CCPA) compliance. California’s new privacy law goes into effect January 1, 2020. Consumer lawsuits are expected to follow shortly after implementation. CCPA can apply to businesses without offices or employees in California. It can also reach activities conducted outside of California.
1. Delegate CCPA compliance oversight to a knowledgeable employee or team
Identity key business stakeholders; assemble multidisciplinary team; engage legal counsel to assist as needed
Note: CCPA applies to all personal information of California consumers and not only data collected online
3. Implement and maintain reasonable security practices
Identify internal or external resources for information technology and data security; determine any contractual information security requirements; consult with others in industry or sector to determine best practices for securing information collected, stored or used by the business; regularly review internal information security practices and document them; prepare a data breach notification plan; conduct table-top exercises to simulate data breach response
4. Maintain procedures to respond to requests for access to personal data and specific pieces of information
Document consumer verification process and how it is aligned with legal requirements; document work flows showing internal procedures are followed; implement templates for customer service communications; audit files and processes to ensure internal policies are followed; log and track requests from consumers and retain copies of responses
5. Maintain procedures to respond to requests to delete personal information
Establish protocols for responding to such requests in a timely and effective manner; identify data within any applicable exception to deletion on which your business relies and how long it can or should be retained; audit files and processes for legal compliance
6. Maintain procedures to respond to requests to opt-out of sale of personal information
Provide consumers with appropriate notice that their personal information is being sold, if applicable, and implement processes to respond to and honor requests to opt-out to such sale; audit processes for legal compliance
7. Update vendor contracts to comply with CCPA and avoid being characterized as “selling” personal information to vendors
8. Maintain procedures for collection and use of personal information of minors (as applicable)
Obtain appropriate opt-in consent with respect to persons 16 or younger whose personal information is sold
9. Conduct appropriate privacy training for personnel depending on their job function
Offer appropriate training to personnel; require personnel to participate in privacy and security training; prepare templates and scripts for personnel responding directly to consumers’ requests under CCPA; document how compliance of personnel is evaluated or checked
10. Assess affiliates’ need to comply with the CCPA and implement family-wide compliance if necessary
The affiliates of a business subject to the CCPA may all come under the CCPA where they all do business under a common brand; pro-actively determine whether compliance with the CCPA can be limited to one or more specific companies in a family of companies and take appropriate actions based on the outcome of the review
The CCPA is a complex law, and this overview does not substitute for considering CCPA requirements in their entirety. The CCPA, while a comprehensive privacy law, does not supplant other California or other state privacy laws. Don’t lose sight of other privacy obligations in the U.S. as you navigate CCPA compliance for your business.
Womble Bond Dickinson (US) LLP communications are intended to provide general information about significant legal developments and should not be construed as legal advice on any specific facts and circumstances, nor should they be construed as advertisements for legal services.