What Businesses Can Be Doing Now to Prepare for the CCPA
For many businesses, this is the first time that they will have to comply with an over-arching privacy law, which has made the process of complying with the CCPA difficult.
September 04, 2019 at 12:05 PM
6 minute read
As its Jan. 1, 2020, effective date draws closer, businesses subject to the California Consumer Privacy Act (CCPA) are struggling not only with what the statute means but also with how to structure a compliance program to meet the law's requirements. For many businesses, this is the first time that they will have to comply with an over-arching privacy law, which has made the process of complying with the CCPA difficult. Other entities that have already had to comply with comprehensive privacy laws such as HIPAA, GLBA or GDPR are trying to navigate how those laws relate to the CCPA and how they can leverage existing policies and procedures toward CCPA compliance.
Of course, CCPA compliance has been made even more difficult because the law is still not solidified. At the time of writing this article, the California legislature is considering a number of bills that will, if passed, modify some parts of the CCPA. That process will conclude when the legislature closes Sept. 13.
Pursuant to the law, the California Attorney General's office is required to publish interpretative regulations governing its enforcement of the CCPA. The AG's office has announced that it will publish draft regulations in fall 2019 on the following seven categories: additional categories of personal information, definition of unique identifiers, exceptions, submitting and complying with verified consumer requests, providing a uniform opt-out logo button, guidance on notices and information to consumers, including financial incentive offerings, and verification of consumer's requests.
Notwithstanding these challenges of having an unfinalized law and no AG official guidance, there are a number of steps that businesses can and should take now to start their CCPA compliance program.
First, businesses should perform a risk analysis in view of their CCPA compliance obligations to address the highest risk activities first. For example, businesses with only limited operations in California should address those operations first and then move on to operations that may be tangentially implicated by the CCPA. Similarly, businesses that are able to take advantage of one of the CCPA's exemptions should consider whether their compliance programs should first focus on operations that are not subject to the exemptions. Businesses also should understand that their marketing and website activities are likely their most consumer-facing activities and have a higher risk profile than other types of activities.
Perhaps most important, identifying and prioritizing risk allows businesses to take a "one-bite-at-a-time" approach to compliance. In many instances, businesses become paralyzed by the daunting task of driving CCPA compliance. Trying to break compliance into smaller, achievable steps is a great way to gain momentum and obtain buy-in from relevant stakeholders.
Businesses also should analyze how the CCPA will impact the flow of personal information among related corporate entities. By way of explanation, the CCPA defines "business" to include not only the subject entity but also any entity that shares common control and common branding. To the extent that related entities are not commonly-branded (which is commonplace in many complicated corporate structures), businesses will need to analyze how those entities should be treated under the CCPA and whether existing information flows between such entities will need to be disclosed to California residents and/or subject to the CCPA's opt-out provision.
Similarly, businesses should identify all of their existing corporate websites. A common theme we have found with clients is that the legal teams often do not know all of the unique websites that are under the same corporate umbrella. When one considers that the CCPA will require businesses to revise online privacy notices, it becomes apparent that a necessary first step is to determine how many websites will need revised/updated notices and whether many (or perhaps all) of the websites can share the same privacy notice.
In this same vein, one of the first—if not the first—department that a business should be prioritizing for CCPA compliance is the marketing department. Any good marketing department will be constantly searching for innovative ways to attract new customers or sell new products to existing customers. There is nothing wrong with that and the CCPA does not outlaw those efforts. However, the CCPA will require marketing departments to play by a new set of rules with respect to the personal information of California residents. Those rules will include disclosing how information is collected and shared with other entities, responding to requests to access or delete that information, and allowing California residents to opt-out of the selling of personal information to third parties. Those rules do not need to stall marketing efforts. To the contrary, a number of companies have begun marketing their privacy programs as a reason for purchasing their products. In any event, getting buy-in and cooperation from the marketing department as soon as possible will be a significant hurdle to clear for any CCPA compliance program.
After businesses have taken time to go through some (or all) of these preliminary reviews, they should turn to performing a data inventory. However, businesses should be aware that simply documenting data elements is not going to be enough. Among other things, the CCPA will require businesses to document the business/commercial purpose for the collection, whether the data element is covered by the CCPA, whether it is shared or disclosed with another entity and whether it is subject to the CCPA's opt-out provisions. Understanding what the CCPA requires before starting a data inventory is critical to getting the process completed correctly the first time.
In sum, as we wait for the California legislature and Attorney General's office to finalize the CCPA and provide compliance guidelines, there are a number of more administrative steps that businesses subject to the CCPA can perform to jump start their compliance programs and put themselves in a position to drive compliance prior to Jan. 1, 2020. Given that many of these steps can take weeks (if not months) to finish, businesses should not hesitate to start these initial steps toward compliance as soon as possible.
David M. Stauss is a partner at Husch Blackwell and co-leader of the firm's privacy and data security practice group. He regularly assists clients in preparing for and responding to data security incidents, including managing multistate breach notifications. He also counsels clients on complying with existing and emerging privacy and information security laws, including the European Union's General Data Protection Regulation (GDPR), the California Consumer Privacy Act of 2018 (CCPA), and state information security statutes. He can be reached at [email protected].
Robert J. Bowman is a Denver-based partner in the firms technology, manufacturing and transportation industry group and a co-leader of the firm's internet of things team. He can be reached at [email protected].
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View AllA Blueprint for Targeted Enhancements to Corporate Compliance Programs
7 minute readThree Legal Technology Trends That Can Maximize Legal Team Efficiency and Productivity
Corporate Confidentiality Unlocked: Leveraging Common Interest Privilege for Effective Collaboration
11 minute readTrending Stories
- 1Call for Nominations: Elite Trial Lawyers 2025
- 2Senate Judiciary Dems Release Report on Supreme Court Ethics
- 3Senate Confirms Last 2 of Biden's California Judicial Nominees
- 4Morrison & Foerster Doles Out Year-End and Special Bonuses, Raises Base Compensation for Associates
- 5Tom Girardi to Surrender to Federal Authorities on Jan. 7
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250