Complying with the Toughest Data Privacy Law in the United States
In response to the recent wave of high-profile data breach incidents—including those experienced by Target, Equifax, Cambridge Analytica, and many others—the California state government has enacted what is, to date, the most groundbreaking privacy legislation in United States history. Known as the California Consumer Privacy Act of 2018 (CCPA), California’s new privacy regulation possesses the potential to cause a seismic shift in the landscape of data privacy law not just in California, but across the country.
Importantly, this new sweeping privacy legislation will impose a multitude of new, extremely demanding notice, disclosure, and consent requirements on a vast array of business entities that conduct operations and/or handle the personal information of California residents. Businesses who fall under the scope of the CCPA can expect the compliance process to be complex, just as many organizations have put the final touches on their compliance efforts with respect to the European Union’s own game-changing privacy law—General Data Protection Regulation (GDPR)—which took effect in May 2018.
Fortunately, through the implementation of several best practices described in this article, companies covered by the CCPA can achieve effective compliance with California’s exacting privacy legislation.
CCPA Compliance Strategy
Covered businesses should not assume that being GDPR-compliant automatically makes them CCPA-compliant. Although many of the CCPA’s provisions are similar to the requirements promulgated under GDPR, the CCPA provides for differing rights, obligations, and expectations as compared to its European counterpart. Thus, compliance with GDPR will not necessarily ensure compliance with the CCPA. As such, covered businesses that are subject to both GDPR and the CCPA will need to develop and implement a distinct CCPA-specific compliance strategy that involves differentiated, tailored policies and practices for consumers in these separate jurisdictions.
Ensuring compliance with California’s new sweeping privacy law requires a comprehensive, strategic approach that encompasses three vital facets: planning and analysis, implementation, and quality assurance.
With respect to the planning and analysis phase, the first operational response for compliance with the CCPA is to conduct an inventory analysis of all personal data that is handled by the covered business. To accomplish this task, companies must map and inventory every piece of personal information that is collected, used, and/or sold by the company, as well as all of the company’s data processing practices, including those relating to the collection and use, retention, and disposal of consumer data. From there, companies should establish and maintain a data inventory of all such personal information in order to ensure that data is well prepared to satisfy access, deletion, and portability requests from consumers. Ideally, a covered business’s mapping and inventory methods and practices should provide the organization with the capability to identify data location information as it relates to individual data subjects, so that covered businesses can effectively respond to the myriad of different consumer requests that are permissible under the CCPA.
By far, the most time- and labor-intensive aspect of the CCPA compliance process relates to the implementation phase, which will require organizations to develop and implement a range of policies, procedures, and practices that will allow covered businesses to comply with the many requirements of the CCPA. One major aspect of the implementation phase pertains to providing the mandated disclosures and notices required by California’s new privacy law. Companies will need to update their privacy policies with the information that is required to be affirmatively disclosed to consumers pertaining to consumers’ rights under the CCPA, including a toll-free number and a website for consumers to submit requests, as well as a link on the company’s Web page titled “Do Not Sell My Personal Information” to facilitate the opt-out process.
Another major aspect of the implementation phase relates to the development of methods and systems for responding to consumer requests. Companies must ensure that they have the operational capabilities to timely handle and respond to consumer requests made under the CCPA. If a company does not possess such capabilities, the organization should immediately begin to develop and implement the necessary programs and controls to ensure the ability to adhere to the law’s arduous consumer request obligations, such as mechanisms to delete data, disclose consumer information upon request, and ensure that no data of a consumer who has opted out is sold.
Companies must also implement systems to comply with the CCPA’s requirement that organizations implement “reasonable security procedures and practices” to guard against the unauthorized access of personal information. Importantly, if a company fails to implement reasonable security measures to safeguard personal information and a data breach occurs, the company opens itself up to lawsuits by consumers under the CCPA’s private right of action provision. In order to defend against this risk, companies must take affirmative steps to secure and safeguard the sensitive personal information that is collected and maintained by the organization.
A key practice that companies can implement to aid in the security of the personal information they possess is to incorporate written security policies and procedures in the form of a written information security plan (WISP), which is then integrated throughout the company’s operations. In addition, covered businesses should also consider protecting their systems and networks with whitelisting software, which only allows systems to execute programs known and permitted by the company’s security policy, and which prevents unauthorized, unknown, or malicious programs, such as ransomware, from executing within the system.
Furthermore, because data today is increasingly becoming a significant potential liability, covered businesses should also consider data minimization policies and practices. Companies can limit the potential fallout from a data compromise event by being selective as to what personal data is collected and stored. At the same time, covered businesses should also develop policies and practices to securely dispose of personal information that is no longer needed by the company.
After companies have put all of their procedures and practices in place to effectively comply with the CCPA’s multitude of mandates, covered entities must engage in quality assurance to ensure that the organization is, in fact, remaining compliant with California’s new privacy law. As part of the quality assurance phase, companies should conduct periodic risk assessments to identify the primary risks to the personal information maintained by the company, and implement any necessary modifications to the entity’s WISP in order to minimize the risk of these vulnerabilities being exploited by a data breach. In addition, because the CCPA requires that covered businesses update their data disclosures every 12 months, covered entities should also periodically review and update their consumer privacy policies to add any additional information that is required to be affirmatively disclosed to consumers.
Last but not least, because the CCPA mandates that individuals responsible for fielding consumer inquiries, or who are otherwise involved with the company’s CCPA compliance efforts, be “informed” of the organization’s duties under the CCPA, covered entities must provide employees with focused, periodic training regarding the obligations that the organization is required to satisfy to ensure compliance with the new law. Ideally, this training should not involve a one-time endeavor, but should be given on a periodic, ongoing, and consistent basis to ensure that all personnel is kept abreast of the complex web of rules and requirements that are placed on covered businesses by the CCPA.
The Final Word
Ultimately, the CCPA possesses the potential to be a game-changer as it relates to the landscape of privacy law not just in California, but across the United States. While the law does not go into effect until January 1, 2020, because many of the CCPA’s provisions require disclosure of data collected and/or sold over the preceding 12-month period, full compliance with the CCPA will require significant lead-time and resources, which means businesses should begin preparing and implementing a plan for compliance as soon as possible in order to ensure that the organization’s data collection and processing practices conform to the law’s new requirements.
Based on the current effective date of the CCPA, the 12-month look back period for consumer requests may reach back to as early as January 1, 2019. With that said, this look back period may be extended to July 2019 in the event the state’s Attorney General does not promulgate and publish its regulations until the CCPA-mandated deadline of July 1, 2020. In addition, getting an early start on compliance is also especially important due to the breadth and scope of the new law, which may require companies to invest significant time in order to determine all of a company’s systems that require updates, and to implement changes to come in compliance with the new law.
An early start toward compliance can make all the difference between being able to comply with the CCPA and being on the receiving end of a potentially catastrophic class action suit brought under the CCPA’s private right of action provision.
“Complying with the Toughest Data Privacy Law in the United States,” by Ana Tagvoryan, Jennifer J. Daniels, Ana Amodaj, and David J. Oberly was published in Legaltech news on March 7, 2019.
Reprinted with permission from the March 7, 2019, edition of Legaltech news© 2019 ALM Media Properties, LLC. All rights reserved. Further duplication without permission is prohibited. For information, contact 877-257-3382, reprints@alm.com or visit www.almreprints.com.