Complying With the Toughest Data Privacy Law in the United States
California's new privacy regulation possesses the potential to cause a seismic shift in the landscape of data privacy law not just in California, but across the country.
March 07, 2019 at 07:00 AM
8 minute read
In response to the recent wave of high-profile data breach incidents—including those experienced by Target, Equifax, Cambridge Analytica, and many others—the California state government has enacted what is, to date, the most groundbreaking privacy legislation in United States history. Known as the California Consumer Privacy Act of 2018 (CCPA), California's new privacy regulation possesses the potential to cause a seismic shift in the landscape of data privacy law not just in California, but across the country.
Importantly, this new sweeping privacy legislation will impose a multitude of new, extremely demanding notice, disclosure, and consent requirements on a vast array of business entities that conduct operations and/or handle the personal information of California residents. Businesses who fall under the scope of the CCPA can expect the compliance process to be complex, just as many organizations have put the final touches on their compliance efforts with respect to the European Union's own game-changing privacy law—General Data Protection Regulation (GDPR)—which took effect in May 2018.
Fortunately, through the implementation of several best practices described in this article, companies covered by the CCPA can achieve effective compliance with California's exacting privacy legislation.
|CCPA Compliance Strategy
Covered businesses should not assume that being GDPR-compliant automatically makes them CCPA-compliant. Although many of the CCPA's provisions are similar to the requirements promulgated under GDPR, the CCPA provides for differing rights, obligations, and expectations as compared to its European counterpart. Thus, compliance with GDPR will not necessarily ensure compliance with the CCPA. As such, covered businesses that are subject to both GDPR and the CCPA will need to develop and implement a distinct CCPA-specific compliance strategy that involves differentiated, tailored policies and practices for consumers in these separate jurisdictions.
Ensuring compliance with California's new sweeping privacy law requires a comprehensive, strategic approach that encompasses three vital facets: planning and analysis, implementation, and quality assurance.
With respect to the planning and analysis phase, the first operational response for compliance with the CCPA is to conduct an inventory analysis of all personal data that is handled by the covered business. To accomplish this task, companies must map and inventory every piece of personal information that is collected, used, and/or sold by the company, as well as all of the company's data processing practices, including those relating to the collection and use, retention, and disposal of consumer data. From there, companies should establish and maintain a data inventory of all such personal information in order to ensure that data is well prepared to satisfy access, deletion, and portability requests from consumers. Ideally, a covered business's mapping and inventory methods and practices should provide the organization with the capability to identify data location information as it relates to individual data subjects, so that covered businesses can effectively respond to the myriad of different consumer requests that are permissible under the CCPA.
By far, the most time- and labor-intensive aspect of the CCPA compliance process relates to the implementation phase, which will require organizations to develop and implement a range of policies, procedures, and practices that will allow covered businesses to comply with the many requirements of the CCPA. One major aspect of the implementation phase pertains to providing the mandated disclosures and notices required by California's new privacy law. Companies will need to update their privacy policies with the information that is required to be affirmatively disclosed to consumers pertaining to consumers' rights under the CCPA, including a toll-free number and a website for consumers to submit requests, as well as a link on the company's Web page titled “Do Not Sell My Personal Information” to facilitate the opt-out process.
Another major aspect of the implementation phase relates to the development of methods and systems for responding to consumer requests. Companies must ensure that they have the operational capabilities to timely handle and respond to consumer requests made under the CCPA. If a company does not possess such capabilities, the organization should immediately begin to develop and implement the necessary programs and controls to ensure the ability to adhere to the law's arduous consumer request obligations, such as mechanisms to delete data, disclose consumer information upon request, and ensure that no data of a consumer who has opted out is sold.
Companies must also implement systems to comply with the CCPA's requirement that organizations implement “reasonable security procedures and practices” to guard against the unauthorized access of personal information. Importantly, if a company fails to implement reasonable security measures to safeguard personal information and a data breach occurs, the company opens itself up to lawsuits by consumers under the CCPA's private right of action provision. In order to defend against this risk, companies must take affirmative steps to secure and safeguard the sensitive personal information that is collected and maintained by the organization.
A key practice that companies can implement to aid in the security of the personal information they possess is to incorporate written security policies and procedures in the form of a written information security plan (WISP), which is then integrated throughout the company's operations. In addition, covered businesses should also consider protecting their systems and networks with whitelisting software, which only allows systems to execute programs known and permitted by the company's security policy, and which prevents unauthorized, unknown, or malicious programs, such as ransomware, from executing within the system.
Furthermore, because data today is increasingly becoming a significant potential liability, covered businesses should also consider data minimization policies and practices. Companies can limit the potential fallout from a data compromise event by being selective as to what personal data is collected and stored. At the same time, covered businesses should also develop policies and practices to securely dispose of personal information that is no longer needed by the company.
After companies have put all of their procedures and practices in place to effectively comply with the CCPA's multitude of mandates, covered entities must engage in quality assurance to ensure that the organization is, in fact, remaining compliant with California's new privacy law. As part of the quality assurance phase, companies should conduct periodic risk assessments to identify the primary risks to the personal information maintained by the company, and implement any necessary modifications to the entity's WISP in order to minimize the risk of these vulnerabilities being exploited by a data breach. In addition, because the CCPA requires that covered businesses update their data disclosures every 12 months, covered entities should also periodically review and update their consumer privacy policies to add any additional information that is required to be affirmatively disclosed to consumers.
Last but not least, because the CCPA mandates that individuals responsible for fielding consumer inquiries, or who are otherwise involved with the company's CCPA compliance efforts, be “informed” of the organization's duties under the CCPA, covered entities must provide employees with focused, periodic training regarding the obligations that the organization is required to satisfy to ensure compliance with the new law. Ideally, this training should not involve a one-time endeavor, but should be given on a periodic, ongoing, and consistent basis to ensure that all personnel is kept abreast of the complex web of rules and requirements that are placed on covered businesses by the CCPA.
|The Final Word
Ultimately, the CCPA possesses the potential to be a game-changer as it relates to the landscape of privacy law not just in California, but across the United States. While the law does not go into effect until January 1, 2020, because many of the CCPA's provisions require disclosure of data collected and/or sold over the preceding 12-month period, full compliance with the CCPA will require significant lead-time and resources, which means businesses should begin preparing and implementing a plan for compliance as soon as possible in order to ensure that the organization's data collection and processing practices conform to the law's new requirements.
Based on the current effective date of the CCPA, the 12-month look back period for consumer requests may reach back to as early as January 1, 2019. With that said, this look back period may be extended to July 2019 in the event the state's Attorney General does not promulgate and publish its regulations until the CCPA-mandated deadline of July 1, 2020. In addition, getting an early start on compliance is also especially important due to the breadth and scope of the new law, which may require companies to invest significant time in order to determine all of a company's systems that require updates, and to implement changes to come in compliance with the new law.
An early start toward compliance can make all the difference between being able to comply with the CCPA and being on the receiving end of a potentially catastrophic class action suit brought under the CCPA's private right of action provision.
Ana Tagvoryan is a partner at Blank Rome LLP and serves as chair of the Firm's Privacy Class Action Defense group and vice chair of the Corporate Litigation group. Jennifer J. Daniels is a partner at Blank Rome LLP and serves as co-chair of the Firm's Cybersecurity & Data Privacy group. Ana Amodaj and David J. Oberly are associates at Blank Rome LLP and are also members of the Firm's Cybersecurity & Data Privacy group.
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View AllTrending Stories
- 1Call for Nominations: Elite Trial Lawyers 2025
- 2Senate Judiciary Dems Release Report on Supreme Court Ethics
- 3Senate Confirms Last 2 of Biden's California Judicial Nominees
- 4Morrison & Foerster Doles Out Year-End and Special Bonuses, Raises Base Compensation for Associates
- 5Tom Girardi to Surrender to Federal Authorities on Jan. 7
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250