That said, the exact scope of the CCPA - referred to by some as ‘GDPR Light’ - remains unclear. Businesses must wait for the California Attorney General to issue implementing regulations to gain greater clarity on how key CCPA provisions will be enforced and interpreted, while at the same time some amendments have been enacted and further amendments proposed, including in recent weeks.
Actual enforcement of the CCPA will not begin until the earlier of six months after such regulations are issued or July 1, 2020. However, the law is still set to become effective January 1, 2020, and businesses should not wait on the Attorney General before taking action. Compliance with the CCPA will require far more than just surface-level cosmetic changes to a website’s privacy policy. For example, businesses will need to maintain records of their data processing activities and be able to respond to consumer data access requests.
Awin has always taken its privacy obligations seriously and has continued to do so under recent regulatory changes in the EU with the GDPR and pending ePrivacy regulation. While privacy legislation unfolds in further jurisdictions, we’re keeping a close eye on what needs to be done to maintain compliance and respect the rights of individuals worldwide.
As such, our external advisor Gary Kibel shares the top 10 things businesses can tackle now – well in advance of any potential enforcement – to meet the CCPA’s many obligations.
1) Assess the CCPA’s applicability to your business
Determine whether your business falls within the scope of the CCPA. The CCPA applies to businesses that:
- Collect California consumers’ personal information and either have annual gross revenues in excess of $25m
- Process the personal information of 50,000 or more California consumers, households, or devices
- Derive 50% or more of their annual revenues from selling California consumers’ personal information
Note that the CCPA has broad applicability and protects the information of California residents (not only when they are present in California). This means that certain “geofencing” strategies that were used to avoid the applicability of the GDPR may not be sufficient in the case of the CCPA.
2) Review and track your data collection practices and data streams
It’s important to have a firm understanding of what personal information your business is collecting, how the personal information is being processed, and with whom the personal information is being shared. The CCPA will require you to disclose collected data to consumers who request it and to inform consumers of your data collection practices before you collect personal information. If your business has not already done so, consider creating system diagrams that document the lifecycle of collected data and data flow maps for locating a customer’s personal information. This will also help with your recordkeeping efforts.
3) Maintain records of data processing activities
Under the CCPA, a California consumer is entitled to request that a business provide certain disclosures as they relate to the processing of that consumer’s personal information within the year preceding the request in a readily usable format. This is sometimes referred to as the “look back” provision. Since consumers can start exercising their rights and requesting information about a business’s data processing activities on January 1, 2020, this technically means that a year prior to such possible request businesses should be keeping records on their processing activities in a way that enables them to respond effectively to this “look back” provision.
The recent amendments to the CCPA did not postpone the applicability of the “look back” provision. Because the Attorney General’s approach to enforcement is unclear at this time, businesses will need to have processes in place to organize and manage consumer data collected well before the Attorney General commences enforcement activities.
4) Review policies and identify gaps with GDPR
There is a common misconception that being GDPR compliant means you are also CCPA compliant. This is not the case. Businesses should certainly coordinate their GDPR and CCPA compliance efforts, but also be mindful of the differences.
For example, the CCPA explicitly restricts discrimination against consumers that have exercised their rights under the CCPA, including by charging different prices for services or providing a different level of services. Businesses should take steps to uncover gaps in their current practices that are not yet CCPA-compliant, identify operational challenges that CCPA compliance may pose and plan for compliance action.
5) Review external privacy policies and other consumer disclosures
The CCPA requires certain disclosures to be made to consumers. Reviewing existing disclosures and commitments currently made by the business can help identify any missing disclosures and commitments required under the CCPA.
6) Plan how to proactively communicate with your consumers about CCPA compliance
Devise a uniform, public-facing message that communicates to your consumers and clients about the business’ position on CCPA compliance. This message can be used whenever a consumer or a corporate client asks about CCPA. The message should be disseminated within the business to ensure employees understand how to effectively communicate the business’s position on CCPA.
7) Stay up-to-date on state and federal privacy developments
The CCPA will not be the last data privacy regulation your business will have to address. There are numerous new state laws pending, including proposed laws in Washington State and New York. The Federal Government has also introduced various new privacy bills, including one that can preempt state laws including the CCPA. Staying current on privacy developments and frequently conversing with your privacy counsel will help you prepare for and react more appropriately to legal changes that impact your business.
8) Assess third parties
One of the major requirements under the CCPA is to provide consumers with the opportunity to opt-out of the “sale” of their personal information. The standard is opt-in if the user is under 16.
The definitions of “personal information” and “sale” are both extremely broad. Furthermore, a business is provided with a safe harbor for non-compliance by their service providers if certain controls with the service provider have been put in place. Therefore, consider all third parties with whom the business is working and the contracts with such third parties, both in terms of parties to whom data is transferred and counter-parties when the business is a recipient of data.
9) Be flexible
While it is best to take action, even while the industry waits for regulations from the Attorney General, every organization needs to be flexible should the regulations move the goal posts on your plans. The CCPA was amended in September 2018 and another amendment was proposed in February 2019 that would significantly expand the private right of action and eliminate a cure period under the law, thus greatly increasing the potential exposure to companies.
10) Consult with your privacy counsel
Work with outside legal counsel that is well-versed in privacy law and the CCPA in particular. Due to the complexities and current uncertainties of the CCPA, the legal, regulatory and technical implications of the CCPA and other privacy laws could have a significant impact on your business’s data processing activities.