10 things you need to know about CCPA compliance

To some degree, California’s statute “represents a shift in perspective” for data, observes Heather Buchta, a partner at the law firm Quarles & Brady. Courtesy of California’s state legislature, we as a society are evolving from looking at data as a company asset and moving toward “a consumer rights mentality,” Buchta says. Still, businesses cannot afford to dither about compliance.

What follows are 10 pieces of expert advice compliance practitioners should heed:

1. Determine whether you are subject to the law. Not every organization is subject to the CCPA. The law applies to businesses that have gross annual revenues greater than $25 million; those that buy, receive, or sell the personal information of 50,000 or more California consumers, households, or devices; or businesses that derive 50 percent or more of their annual revenue from selling consumers’ personal information. For-profit enterprises do not necessarily have to be based in California to be subject to the statute.

2. Don’t just hand off CCPA compliance to the IT team. “There are IT aspects to compliance with the CCPA,” says Jason Schwent, data privacy specialist at the law firm Lathrop Gage. While data tracking information, deletion, and security do tend to be tech-oriented tasks, adherence to the CCPA “is a legal compliance issue,” he maintains.

Businesses should have a team “comprising legal, compliance, business, and technology expertise,” suggests Richard Harris, chair of the technology, telecommunications, and outsourcing practice at the law firm Day Pitney. The team can “assess the compliance strategy to address the implications of the CCPA on their business,” Harris says.

3. Set up a schedule. Behavior modification will not happen overnight. “Agreeing upon a realistic timeframe for achieving compliance is essential,” Harris says. Keep it real. “Most likely, a two-week sprint to compliance will fail miserably and frustrate all involved,” Harris says.

Take an organized, steady approach toward adherence with the California law. “Inventory your collection, use, storage, and transfer of personal information,” Schwent suggests. Developing processes for evaluating and responding to data access requests and training employees will also take some time.

4. Decide whether to extend CCPA protections to your entire customer base. A key issue companies will face is whether your entire client base will be given CCPA protections. Touchy customer relations issues can ensue if a company offers a slate of new rights to customers in California and not to everyone else, observes W. Reece Hirsch, a partner at the law firm Morgan Lewis.

“A business that is very consumer-facing and heavily depends on direct relationships with consumers for its reputation and business growth may want to extend CCPA rights and protections to all consumers as a promotional, consumer-friendly gesture,” suggests Nancy Perkins, counsel at the law firm Arnold & Porter.

5. Revise your online privacy notice. “Update Website and employee privacy policies to include descriptions of the categories of information collected, third parties with whom data is shared, and rights available to individuals under CCPA,” suggests Laura Jehl, leader of the global privacy and cyber-security practice at the law firm McDermott Will & Emery.

Take a look at your internal (non-customer-facing) privacy policies and procedures as well. “Businesses should have such an internal privacy policy,” Lathrop Gage’s Schwent says, noting that too many do not. “The policy should be drafted with the specific needs and uses of the organization in mind to ensure that it is implementable, useful, and enforceable,” he says.

6. Document “reasonable security” practices. The CCPA “also contains data protection and security provisions and provides a private right of action for consumers affected by a data breach caused by a business’ failure to provide ‘reasonable security,’” Jehl notes. 

Covered businesses should review information security processes “against established data security standards such as National Institute of Standards and Technology, International Organization for Standardization, or CIS Critical Security Controls,” Jehl suggests. Companies should “ensure sufficient documentation of those controls is in place to demonstrate ‘reasonable security’ in the event of a data breach,” she says.

7. Establish a subject data request process. Remember that verification obligations under the California law “are significant,” Schwent says. “And businesses that fail to comply with those requirements and release personal information to the harm of the consumer may face litigation for those mistakes (as well as regulatory enforcement actions),” he notes.

“Companies should be prepared to intake and effectuate consumer access and deletion requests,” says Kandi Parsons, an attorney at the law firm ZwillGen.

8. Figure out where your data is. Map personal information that your business maintains or that service providers maintain on your behalf, suggests Perkins of Arnold & Porter. “You’ll need to know the types of personal information that you have collected in the past 12 months, the purposes for which you collected it, and the types of entities to whom you disclosed it in the past 12 months, and continue to track that on an ongoing basis,” she says.

Don’t forget “offline” data—the sort that’s in the real world. The CCPA regulations “clearly push data privacy disclosures into the offline realm, including onsite consumer interactions,” Buchta cautions.

9. Review vendor contracts. “Figure out which vendors have access to any personal information, pull the contracts, and double check the data use language,” Buchta adds. Put amendments in place “to give you the contractual protections you need for data restrictions,” she says.

10. Train employees. The “CCPA places a strong emphasis on training of personnel who will be responsible for receiving and acting on consumer requests,” Harris notes. “Personnel need to understand their privacy program so they can help reduce risk for the business, both from a process perspective and a customer communications perspective,” Buchta says. 

After all, “the process of fielding access requests, deletion requests,” and requests to opt-out of the sales of one’s data “is not a typical customer service exercise,” Schwent notes. Addressing these requests “can impact a number of operations,” he continues. Ultimately, “employees must be trained on the policy to make sure that everyone (not just IT) knows how to handle personal information within the organization and what each employee’s responsibility is with respect to the same.” he says.