|

New Year's Day is fast approaching, and with it, the deadline for compliance with the California Consumer Privacy Act (CCPA)—the Golden State's new data privacy law and the strictest in the nation. As the clock ticks forward, businesses are struggling to get their houses in order, working to make certain that their privacy policies inform customers about what personal information (PI) is being collected about them and to whom it may be sold. On the back end, protocols are being hurriedly drafted to handle customer requests to access, delete, or opt-out of the sale of their PI.

The proposed CCPA regulations released by California's attorney general in October have prompted public comment and raised as many questions as they've answered. One thing we know for certain is that the AG is prevented from bringing an enforcement action for noncompliance before July 1, 2020 or six months after publication of the final regulations (whichever is earlier). That being said, the CCPA is unclear whether such an action could be triggered by noncompliance as of the CCPA's effective date (Jan. 1) or if the AG will only take action for infractions occurring subsequent to the latter date. But before you throw your hands up in the air and pray that an enforcement action doesn't land at your doorstep—either sooner or later—here are three key takeaways that should govern your approach to CCPA compliance.

Data Mapping

While the CCPA itself doesn't explicitly address data mapping, it's the lynchpin for a successful data governance program. In short, a data map is a document that tracks what data your organization collects, where it resides, and who's in charge of (or owns) that information. Think of it this way: you could probably figure out how to drive from Los Angeles to New York without GPS or maps, but the journey would likely take you a lot longer than if you were properly equipped, and might well result in you going places that were never intended. The obvious corollary to the CCPA is that in the absence of a baseline data map, you'll likely struggle to respond to CCPA rights invocations in a timely manner. Therefore, it's worth investing time and effort up front to develop a data map, and to make sure it's updated on a quarterly and annual basis.

Service Provider Agreements

The CCPA draws a critical distinction between "service providers"—to whom businesses are permitted to "sell" PI—and "third parties." To qualify as a "service provider," your vendors must be bound by written contracts that prohibit them from "retaining, using, or disclosing [consumers' PI] for any purpose other than for the specific purpose of performing the services specified in the contract." Many confidentiality provisions in service agreements include similar parameters, but it's important for organizations like yours to review vendor agreements to be sure they incorporate this important restriction. If necessary, you should offer a standard addendum to existing contracts that sets forth these critical terms.

Data Governance

You may have successfully revised your company's privacy policy to include all of the new CCPA requirements, and perhaps you've even set up your web portal to receive "do not sell" CCPA requests, but do you have a procedure in place for processing CCPA rights invocations received from customers after the compliance deadline? The best solution is to institute a data governance policy, identifying who within your organization is charged with analyzing and processing CCPA requests, as well as providing a checklist or other system to document compliance for due diligence purposes. Like creating the data map, this can seem like a daunting task at the outset, but that shouldn't serve as an obstacle. Remember, the data governance policy is a living document that focuses first on establishing a baseline set of processes. It also operates in conjunction with your data map. When consumers request access to their PI, refer first to that map to identify where responsive information resides within your organization and which "owner" should be contacted. Then, pursuant to your data governance policy, you can record each step regarding the formulation of your response in order to demonstrate due diligence and CCPA compliance.

Also, rather than charging a single person with managing your privacy compliance program, consider whether your organization can support an interdepartmental data privacy team—the benefit being that all key stakeholders get a seat at the table. For instance, if your marketing department intends to launch a new campaign involving data collection and processing, the data privacy team can address potential issues from a legal/business/technical/security perspective. This is certainly more advantageous than a sole compliance officer who might be considered as an obstruction to business objectives.

The Bottom Line

If you're still working on a CCPA compliance program, it's important to consult with an attorney specializing in data privacy as soon as possible. To be sure, formulating a data map and reviewing vendor agreements, among other necessary things, can be time consuming and should be initiated right away. But never fear, if you're determined to meet the CCPA deadline, there's plenty of time to do so—if you act now.

Scott Lyon is a partner at Michelman & Robinson, a national law firm headquartered in Los Angeles with additional offices in Orange County (California), San Francisco, Chicago and New York City. His practice focuses on helping clients create and implement effective cybersecurity and data privacy programs and policies. As an attorney and IT professional, Lyon also provides advice on best practices in the event of data breaches. He can be contacted at 714-557-7990 or [email protected].