Credit: jijomathaidesigners/Shutterstock.com Credit: jijomathaidesigners/Shutterstock.com

As its Jan. 1, 2020, effective date draws closer, businesses subject to the California Consumer Privacy Act (CCPA) are struggling not only with what the statute means but also with how to structure a compliance program to meet the law's requirements. For many businesses, this is the first time that they will have to comply with an over-arching privacy law, which has made the process of complying with the CCPA difficult. Other entities that have already had to comply with comprehensive privacy laws such as HIPAA, GLBA or GDPR are trying to navigate how those laws relate to the CCPA and how they can leverage existing policies and procedures toward CCPA compliance.

Of course, CCPA compliance has been made even more difficult because the law is still not solidified. At the time of writing this article, the California legislature is considering a number of bills that will, if passed, modify some parts of the CCPA. That process will conclude when the legislature closes Sept. 13.

Pursuant to the law, the California Attorney General's office is required to publish interpretative regulations governing its enforcement of the CCPA. The AG's office has announced that it will publish draft regulations in fall 2019 on the following seven categories: additional categories of personal information, definition of unique identifiers, exceptions, submitting and complying with verified consumer requests, providing a uniform opt-out logo button, guidance on notices and information to consumers, including financial incentive offerings, and verification of consumer's requests.

Notwithstanding these challenges of having an unfinalized law and no AG official guidance, there are a number of steps that businesses can and should take now to start their CCPA compliance program.

First, businesses should perform a risk analysis in view of their CCPA compliance obligations to address the highest risk activities first. For example, businesses with only limited operations in California should address those operations first and then move on to operations that may be tangentially implicated by the CCPA. Similarly, businesses that are able to take advantage of one of the CCPA's exemptions should consider whether their compliance programs should first focus on operations that are not subject to the exemptions. Businesses also should understand that their marketing and website activities are likely their most consumer-facing activities and have a higher risk profile than other types of activities.

Perhaps most important, identifying and prioritizing risk allows businesses to take a "one-bite-at-a-time" approach to compliance. In many instances, businesses become paralyzed by the daunting task of driving CCPA compliance. Trying to break compliance into smaller, achievable steps is a great way to gain momentum and obtain buy-in from relevant stakeholders.

Businesses also should analyze how the CCPA will impact the flow of personal information among related corporate entities. By way of explanation, the CCPA defines "business" to include not only the subject entity but also any entity that shares common control and common branding. To the extent that related entities are not commonly-branded (which is commonplace in many complicated corporate structures), businesses will need to analyze how those entities should be treated under the CCPA and whether existing information flows between such entities will need to be disclosed to California residents and/or subject to the CCPA's opt-out provision.

Similarly, businesses should identify all of their existing corporate websites. A common theme we have found with clients is that the legal teams often do not know all of the unique websites that are under the same corporate umbrella. When one considers that the CCPA will require businesses to revise online privacy notices, it becomes apparent that a necessary first step is to determine how many websites will need revised/updated notices and whether many (or perhaps all) of the websites can share the same privacy notice.

In this same vein, one of the first—if not the first—department that a business should be prioritizing for CCPA compliance is the marketing department. Any good marketing department will be constantly searching for innovative ways to attract new customers or sell new products to existing customers. There is nothing wrong with that and the CCPA does not outlaw those efforts. However, the CCPA will require marketing departments to play by a new set of rules with respect to the personal information of California residents. Those rules will include disclosing how information is collected and shared with other entities, responding to requests to access or delete that information, and allowing California residents to opt-out of the selling of personal information to third parties. Those rules do not need to stall marketing efforts. To the contrary, a number of companies have begun marketing their privacy programs as a reason for purchasing their products. In any event, getting buy-in and cooperation from the marketing department as soon as possible will be a significant hurdle to clear for any CCPA compliance program.

After businesses have taken time to go through some (or all) of these preliminary reviews, they should turn to performing a data inventory. However, businesses should be aware that simply documenting data elements is not going to be enough. Among other things, the CCPA will require businesses to document the business/commercial purpose for the collection, whether the data element is covered by the CCPA, whether it is shared or disclosed with another entity and whether it is subject to the CCPA's opt-out provisions. Understanding what the CCPA requires before starting a data inventory is critical to getting the process completed correctly the first time.

In sum, as we wait for the California legislature and Attorney General's office to finalize the CCPA and provide compliance guidelines, there are a number of more administrative steps that businesses subject to the CCPA can perform to jump start their compliance programs and put themselves in a position to drive compliance prior to Jan. 1, 2020. Given that many of these steps can take weeks (if not months) to finish, businesses should not hesitate to start these initial steps toward compliance as soon as possible.

David M. Stauss is a partner at Husch Blackwell and co-leader of the firm's privacy and data security practice group. He regularly assists clients in preparing for and responding to data security incidents, including managing multistate breach notifications. He also counsels clients on complying with existing and emerging privacy and information security laws, including the European Union's General Data Protection Regulation (GDPR), the California Consumer Privacy Act of 2018 (CCPA), and state information security statutes. He can be reached at [email protected].

Robert J. Bowman is a Denver-based partner in the firms technology, manufacturing and transportation industry group and a co-leader of the firm's internet of things team. He can be reached at [email protected].