With a month left before the January 1, 2020 deadline to comply with the California Consumer Privacy Act, covered businesses should ideally be well on their way to compliance. But what if you procrastinated and find yourself tardy for the CCPA compliance party?
Here are a few practical, last-minute tips to make the best of the last month before the deadline.
First, is your company covered?
Start by making sure your company is actually covered by the CCPA. First, your company must be a for-profit entity that (1) collects the personal information of California residents, (2) determines the purposes and means of processing the PI and (3) does business in California.
Second, it must either (A) have more than $25 million in annual gross revenue, (B) receive for commercial purposes the PI of 50,000 California residents, devices or households annually or (C) make more than 50% of its annual revenue from selling PI.
If your company does not meet the criteria above but shares common branding with a parent company or subsidiary that does, then your company and the parent/subsidiary are covered by the CCPA.
Second, keep the CCPA in perspective
You are not alone in feeling behind the curve on the CCPA. Most companies, big and small, are struggling with CCPA compliance. The CCPA's requirements came to a landing only in October 2019, when the latest amendments to the law were passed and the California Attorney General released its draft regulations on how to implement the statute. Even Google only released its CCPA position two weeks ago. And industry groups like the Interactive Advertising Bureau and the Digital Advertising Alliance are still devising CCPA compliance frameworks for their members.
Second, the CCPA deadline is January 1, 2020, but the AG's enforcement power probably won't kick in until July 2020. Even then, the AG must first give a business 30 days to cure any alleged violation before it can initiate an enforcement action.
However, the January deadline is still meaningful because, when it passes, private plaintiffs can sue for statutory damages associated with certain data breaches, California city and county attorneys can start enforcing the CCPA, and an AG enforcement action after July 1, 2020 can still investigate noncompliance before that date.
Finally, recognize that we've only just begun the CCPA compliance journey. The draft regulations will be finalized by July 2020 (and probably impose additional requirements), the 2020 legislative session may bring new amendments to the law, and a new ballot measure will create a "CCPA 2.0" if passed in November 2020.
Third, focus on what's possible now
Consider a dual-track approach to compliance:
Track 1 focuses on the low-hanging fruit that you can pick by January 1. For example:
- Make sure your leadership team knows what CCPA is, why it is important and why it will require commitment and resources from your business now, into 2020 and beyond.
- Give a privacy notice to your employees based in California and a separate privacy notice to job applicants for California roles. There is a one-year grace period for most CCPA obligations relating to "HR data," but it does not apply to the obligation to give privacy notices. Start with templates or sample notices, and tailor them to your business practices, working with HR to make sure the notices are complete and accurate. Be sure to give these notices to both existing employees/job applicants (e.g., by email) and to new employees/applicants starting on January 1.
- Spend some time raising internal
awareness about CCPA, and in particular, about the fact that
Californians may start sending requests:
- for information about the categories of PI collected and how they are used and shared
- for a copy of the PI you hold about them
- to delete their PI
- to opt-out of the sale of their PI
- Make sure your colleagues in customer-facing roles know how to recognize these requests and where to send them when they come in (e.g., to email@example.com) or another inbox. Make sure someone is responsible for checking the inbox and triaging these requests. The good news is that you will have at least 45 days (and if necessary, a total of 90 days) to respond to all requests except for requests to opt-out of sales of PI (for which the tentative deadline under the draft regulations is 15 days).
Track 2 focuses on everything else you need to do for CCPA compliance, an effort that you can kick off now but will continue beyond January 1. This is not an exhaustive list of what you need to do, but highlights core tasks:
- Secure the resources and time commitments from your colleagues that you will need for CCPA compliance – a team effort that requires participation from management, marketing, HR, product/engineering, IT/information security and others.
- Create a project plan and track progress.
- Implement "reasonable" security measures required by California's data security statute. Failure to do so can expose you to private lawsuits under the CCPA if you have a data breach.
- Give privacy notices to your California non-employee personnel and anyone else with whom you interact in the HR context if you haven't already.
- Develop a standard operating procedure for handling requests under the CCPA (e.g., intake, verifying the requester's identity, transferring requested PI).
- Amend vendor agreements as necessary to ensure your vendors qualify as "service providers" under the CCPA (which can limit your obligations and reduce your liability under the statute).
- Conduct more formal training for key personnel on handling requests under the CCPA.
The final word
If you are tardy to the CCPA party, plan – don't panic. With a concerted effort, you can make real progress before year-end and catch up before the AG gets its enforcement stick next year. But don't relax either. Be sure your company is clear-eyed about the importance of the CCPA and the considerable effort required to comply with it, so when you return from the holidays, you are past the internal education phase and can hit the ground running towards closing your compliance gaps.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.