This is the second article in a two-part series discussing readiness steps organizations should consider when implementing the California Consumer Privacy Act of 2018 (CCPA). As we previously discussed, CCPA establishes a new privacy framework for “covered businesses” that fall within its jurisdiction by:

• Creating an expanded definition of “personal information”;
• Creating new data privacy rights for California consumers, including rights to know, access, delete, and opt out of the “sale” of their personal information;
• Imposing special rules for the collection and sale of personal information directly from minors; and
• Creating a new statutory damages framework for violators that fail to implement and maintain reasonable security procedures and practices to prevent data security breaches.

A “covered business” refers to businesses described in Cal. Civ. Code Section 1798.140(c).

Accordingly, businesses must understand the impact CCPA will have on operations, what exceptions may apply, and how to organize readiness activities. In this second part, we outline eight specific steps toward CCPA readiness.

1. Establish and maintain a data inventory of personal information collected or sold from California residents.

Perform review of IT systems to document the categories of personal information.

• Collected from California residents in the past 12 months; and
• Sold—or disclosed for business purposes—in the past 12 months.

Another key feature of this workstream is to understand what policies, procedures, notices, agreements and other relevant documentation are already in place to avoid duplicating efforts. In fact, performing this work in earnest will help shape future readiness activities. Some businesses may have the internal resources and expertise to conduct this review in-house, while others may need to retain external consultants to perform a reliable assessment and identify data in-scope for CCPA (including legacy systems and unstructured data).

In addition, understanding data inventories could help determine if your business falls within CCPA's scope because you buy, receive, sell or share personal information of 50,000 consumers or more.

2. Revise and update privacy notices (Section 1798.100(b) and 1798.130(a)(5))

Organizations subject to CCPA must also affirmatively disclose the following in their online privacy policy:

• At or before the time of collection, what personal information it will collect about consumers and the purposes for which that data will be used;
• A description of a consumer's rights and one or more designated methods for submitting requests;
• The categories of consumer personal information that were actually collected in the preceding 12 months; and
• The categories of consumer personal information that were sold or disclosed for “business purposes” in the preceding 12 months.

Note that these categories of personal information must be disclosed by reference to the enumerated categories in Section 1798.110(c). For example, Section 1798.110(c)(3) of CCPA requires covered businesses to disclose—not only what personal information was collected—but also information about, “the business commercial purpose for collecting or selling personal information.”

As part of this exercise, covered businesses will also need to decide if they wish to maintain one privacy notice for California residents and one for other consumers, or just have one universal policy.

3. Verifiable consumer requests. CCPA requires covered businesses to respond within 45 days from receipt of a verifiable consumer request with specific and accurate disclosures about:

• What categories of the requesting consumer's personal information were actually collected in the past 12 months.
• What categories of the requesting consumer's personal Information were sold or disclosed for business purposes in the past 12 months.

Data collection. CCPA also requires that covered businesses responding to verifiable consumer requests about data collection include information about:

• The categories of sources from which personal information was collected;
• The business or commercial purpose for collecting or selling that personal information;
• The categories of third parties with whom the business has shared personal information; and
• The specific pieces of personal information it has collected about that consumer.

Selling or disclosures. For responding to verifiable consumer requests about data sales or disclosures, covered businesses must disclose, as applicable:

• The categories of personal information sold and to whom it was sold; or
• The categories of personal information disclosed for a business purpose and to whom it was disclosed.

Contacting covered businesses. Covered businesses must also provide at least two methods by which consumers may make verifiable consumer requests for disclosures. At a minimum, this includes:

• Toll-free number; and
• Online form.

Authentication and secure transmission. Business IT systems must be able to authenticate each consumer before responding directly to specific requests. Any personal information transmitted to a verified consumer should be sent securely and encrypted in-transit.

If a covered business does not collect sufficient personal information to verify or otherwise authenticate the identify of the consumer, then it may not require that consumer to create an account or supplement information to verify the request. Covered businesses in this situation may be unable to respond to consumer requests for information.

4. Access rights (Section 1798.110(a)(5)). CCPA guarantees consumers the right to access a copy of the “specific pieces of personal information that [a business] has collected about that consumer” to be delivered either by mail or electronically.

• IT systems must be capable of identifying personal information provided to the covered business directly by the consumer, and compiling that personal information in a portable and, to the extent technically feasible, in a readily useable format to be provided to a consumer or third party.

• All the time, covered businesses must be able to securely authenticate the consumer. In cases where a covered business is processing personal information on behalf of another business, however, those IT systems must be capable of assisting corporate customers directly subject to CCPA to comply with this requirement.

• Data Retention. IT systems must be able to retain personal information to respond to verifiable access requests (likely 12 months or as otherwise required by applicable law).  Covered businesses should also develop policies for the secure disposal of personal information no longer needed for legal or business reasons.

5. Erasure rights (Section 1798.105). CCPA empowers consumers to request the deletion of their personal information from business servers and service providers. Covered businesses must be prepared to honor the deletion request, unless an exception applies. Those exceptions include situations where it is necessary to maintain the personal information to:

• Complete the transaction for which the personal information was collected, provide a good or service requested by the consumer, or otherwise perform a contract between the business and the consumer.
• Detect and maintain data security.
• Debug to identify and repair errors.
• Exercise a right provided for by law.
• Comply with the California Electronic Communications Privacy Act.
• Engage in public or peer-reviewed scientific, historical, or statistical research in the public interest when deletion would render it impossible or seriously impair the achievement of such research.
• Comply with legal obligations.
• Enable solely internal uses that are reasonably aligned with the expectations of the consumer based on the consumer's relationship with the business.
• Otherwise use the consumer's personal information internally in a lawful manner that is compatible with the context in which the personal information was provided.

In cases where the covered business is acting as a data processor, IT Systems must be capable of assisting corporate customers to comply with this erasure requirement.

6. Right to opt-out of sale of personal information (Section 1798.120). CCPA gives consumers the right to opt-out of the sale of their personal information to third parties. If an individual consumer does not affirmatively opt out, then their data may be sold without further action (provided that sale is disclosed in the business's privacy policy). To comply, covered businesses must:

• Post a “clear and conspicuous” link titled “Do Not Sell My Personal Information” on website.
• Describe the right and include a link to the opt-out page in privacy policy.
• Ensure individuals responsible for handling consumer inquiries are trained about opt-out requirements and how to direct consumers to exercise their opt-out rights.

In addition, IT systems must be able to:

• Authenticate each consumer before responding directly to specific requests.
• Honor “Do Not Sell” requests
• Refrain from re-asking consumer for consent to sell “for at least 12 months before requesting that the consumer authorize the sale of” their personal information.
• Process opt-out requests from authorized representatives.

Restrictions on sale of minors' personal information. CCPA also affords minors special protections. Specifically, CCPA generally prohibits the sale of personal information if the business has actual knowledge that the consumer is under 16 years of age or willfully disregards the consumer's age. To sell that data, covered businesses must:

• Ages 13 through 16: obtain affirmative consent to sell personal information directly from consumer.
• Ages 0 through 13: obtain parental consent to sell personal information.

In addition, IT systems must be able to:

• Authenticate each consumer before responding directly to specific requests.
• Treat consumers differently depending on the consumer's age.
• Identify, adequately inform, and obtain appropriate or verified parental consent securely to sell a minor's personal information.
• Retain consent for as long as covered business maintains relationship with consumer.

7. Update service level agreements with third-party data processors. Covered businesses should assess contractual commitments with third party data processors:

• Assess the categories of personal information processed by third parties.
• Assess whether processing activities meet the definition of “selling” under CCPA, or if a statutory exception applies.
• Explore the possibility of re-negotiating those arrangements to avoid the definition of “selling.”

8. Covered businesses must also train personnel with access to personal information about CCPA requirements. CCPA mandates that individuals responsible for handling consumer inquiries or the Covered business' compliance be “informed” of relevant statutory requirements.

• Develop CCPA awareness training for in-scope personnel.
• Monitor authorized users of IT systems containing personal information, including those belonging to minors.
• Written procedures, guidelines, and standards to ensure the use of CCPA-compliant development practices for in-house IT applications.
• Procedures to evaluate compliance of externally developed IT applications.
• Maintain current knowledge of CCPA legislative developments, including guidance from Attorney General.
• Due diligence and onboarding process for third party service providers' compliance with CCPA requirements.
• Periodic assessment of third party IT systems.
• Representations and warranties about third party service providers' compliance with CCPA.

Stay tuned on additional legislative developments related to CCPA that are sure to come, as the California's Attorney General must still also adopt implementing regulations—after broad public participation—no later than July 1, 2020. Beyond that, it is important to bear in mind that various industry groups are still advocating for legislative clarifications, so additional changes may occur before this law goes into full effect in 2020.

Harry A. Valetk is a member of Baker McKenzie's global privacy and security practice group based in New York, where he focuses his practice on advising clients on global privacy compliance and cybersecurity practices. He can be reached at [email protected].

Brian Hengesbaugh is a partner and chair of Baker McKenzie's global privacy and security practice group based in Chicago. He focuses his practice on global data privacy and data security issues in business transformations, compliance activities and incident response/regulatory inquiries. He can be reached at [email protected].