United States: Practical Guidance For Complying With The California Consumer Privacy Act

Compliance with the California Consumer Privacy Act – effective January 1, 2020 – requires businesses to create new procedures and update old processes.

The California Consumer Privacy Act of 2018 (the "CCPA") became effective on January 1, 2020. In our previous posts in November 2019 and December 2019, we discussed the core requirements of the CCPA and its implementing regulations. The purpose of this post is to provide high-level practical guidance to help businesses which are subject to the CCPA comply with its many requirements. The guidance below assumes that your business collects personal information (as defined by the CCPA) from or about residents of California, and does not qualify for an exemption from the CCPA. If you have not already done so, you should:

• Assess what personal information is being collected by your business and whether it is being sold or disclosed for a business purpose; the CCPA imposes separate reporting requirements on personal information which is sold or disclosed, so understanding how personal information flows into your business, is operationalized, and flows out is critical to CCPA compliance. Determine whether you are collecting information from minors. If so, special rules will apply.
• Implement reasonable security procedures, including conducting a risk assessment, establishing information security policies and procedures, and conducting training for employees; implement technical safeguards including, for example, encryption of personal information and multi-factor authentication.
• Update privacy related disclosures (including your privacy policy) to include disclosures required by the CCPA, and prepare consumer notifications.
• Develop a process for responding to (verified) consumer requests – i.e., establish channels through which consumers can submit CCPA-related requests, and a mechanism for verifying the identity of a party making such a request. If your business sells personal information, develop a process for responding to requests to opt-in/opt-out of the sale of personal information (including creating a "Do Not Sell My Personal Information" link/option on your company's website).
• Thoroughly review and understand the requirements of the CCPA to implement compliant procedures relating to, inter alia, recordkeeping, non-discrimination, incident response, and data portability, among the CCPA's other requirements.
• Keep an eye out for further developments with respect to the CCPA, as additional activity is expected throughout 2020. For instance, exemptions for certain employee personal information and business-to-business transactions are set to expire January 1, 2021, and further action is expected to occur throughout 2020.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.