With summer vacations, BBQs, and heat waves still in full swing, it can be tempting to think there is plenty of time remaining until the California Consumer Privacy Act ("CCPA") takes effect on January 1, 2020. However, the reality is that the clock is ticking—as of Labor Day, there are only 18 weeks remaining in the year, and our team’s best estimate is that it takes a minimum of 16 weeks to become compliant.
Part of the reason for this long implementation period is that the law’s requirements demand coordination from stakeholders across a business, including those in the Legal Department, Human Resources, IT, and Marketing, to name a few. Companies have a strong incentive to take the law seriously: the CCPA allows the California Attorney General to impose fines of up to $2,500 for each violation (or $7,500 for "intentional" violations). Those fines can quickly add up, as each affected customer will likely be considered one violation.
The following are some answers to common questions about CCPA compliance efforts.
For many companies, it may be tempting to think the only consumer right their business has to prepare for upfront is transparency, and that access requests, deletion, and opt-out can be dealt with in real time as they are received. Even if this is the case for your organization (and for most companies it is not), the CCPA’s transparency requirements are themselves significantly more expansive than your garden-variety privacy notice.
Specifically, businesses will have to:
- Outline data collection practices in painstaking detail;
- Describe any external sharing of data;
- Categorize each party who receives data as a third party or service provider;
- (Probably) add a "Do Not Sell My Personal Information" link to your websites and apps;
- Add forms to your website to allow individuals to submit CCPA requests; and
- Create a toll-free number to intake CCPA requests by phone.
These to-do items require an organization have a detailed understanding of what data it collects, where it is stored, and how it is used. This, in turn, requires a data mapping exercise, which in itself can take 6-8 weeks at best—or longer if external resources need to be brought in. Further, many organizations will be surprised to find out that they have freezes on changes to website coding at the end of the year to prevent disruption of holiday sales.
Do I Really Need to Map My Data?
Mapping data is like going to the dentist: no one looks forward to it, but you prevent a lot of serious risks by doing it, and re-doing it periodically. A misleading disclosure may be an FTC violation as well as a CCPA violation.
A data map is a record of how your entire organization processes personal information—in other words, all the ways that information is collected, used, stored, manipulated, combined with other data, disclosed, aggregated, and destroyed. Only when you have a comprehensive understanding of all these data flows is it possible to plan how to respond to consumer requests and determine what notices, contractual terms, and processes will be necessary to comply with the CCPA’s myriad requirements.
Unfortunately, while a standard dental cleaning typically only takes up to an hour or two, truly understanding your organization’s data is a multi-step process that involves marshalling IT resources, training personnel on the definitions and requirements of the CCPA, and surveying them, data business owners, and vendors about what they have and why. Be prepared for a lot of frustrating conversations about how an IP address is personal information even though an individual cannot be located on the basis of it unless one is a) an ISP or b) a detective on Law and Order.
But Compliance Should Be Easy if I Complied with GDPR, Right?
If your organization complied with the EU’s General Data Protection Regulation last year, you will have a head start—and you should indeed leverage the work you did previously as you prepare for the CCPA. However, the requirements of the two laws are not co-extensive.
Your cookie banner is not going to help with CCPA compliance, as the CCPA is not a consent-based statute (exception: personal information belonging to minors under 16). As noted above, the CCPA’s transparency requirements are much more proscriptive. Furthermore, the California law’s definition of what constitutes a "sale" is much broader than the common understanding of that term; most organizations are surprised to find out just how much personal information they might be "selling."
What Do I Do Now?
Warning: the best thing to do is consult outside counsel now who specializes in privacy compliance.
If you’ve waited until November to do so, keep in mind that:
- Lawyers have Thanksgiving plans too; and
2. Even if they did not (and we’re just kidding, lawyers are workaholics who will set things aside for you), it’s not going to be possible to complete all the recommended steps by January 1.
What you can likely prioritize on short notice, however, includes:
- Adding CCPA request forms to your website. Make sure any submissions route to someone trained in the CCPA who understands the risk and deadlines associated with such requests.
- Creating new contract templates to allow new parties to whom you disclose data to qualify to be treated as service providers, where appropriate. You might have to go back and amend existing contracts as well, but changing your templates should at least prevent additional work in the future.
Keep an Eye on CCPA Amendments
Finally, it is worth keeping an eye on the potential amendments to the CCPA currently making their way through the California legislature. While none of these bills would change the core requirements discussed above, they could make meaningful adjustments to other requirements, like the effect of the CCPA on employee data.