CCPA

The California Consumer Privacy Act (CCPA) officially launched January 1, 2020—but with the enforcement regulations still not finalized, some provisions of the law have not yet been implemented. Organizations that are stuck playing catch up in determining exactly how they'll comply when full enforcement begins July 1 should focus their efforts on a few key gaps that will have the biggest impacts on compliance:

  • The ability to efficiently respond to consumer requests for data;
  • Preventing and managing breaches of personal data, and the resulting fines and reputational hazards; and
  • Maintaining proper preservation of data needed for civil or criminal litigation.

Coincidentally, these critical gaps tend to track with the biggest mistakes that many companies are currently making in their efforts to comply with the CCPA. There are three primary obstacles that companies are running into—we'll examine those obstacles below, and offer some defensible practices that can help general counsel and chief legal officers tighten up cross-departmental processes to help with their compliance efforts.

Mistake #1: Failure to Harmonize the "Right to be Forgotten" with Retention Regulations

The data subject access request (DSAR) was popularized with the EU's General Data Protection Regulation (GDPR), and the CCPA has carried this same tradition to America and granted consumers a few new rights, namely:

  • The right to know what information a business holds on them;
  • The right to be forgotten (have their personal data deleted); and
  • The right to opt out of having their information sold.

Much has been made of the 45-day timeline (and the other smaller timelines within, many of which were updated in February), as well as the costs of completing these requests ($1,400 per request, according to analyst firm Gartner). It's therefore critical, given the relatively short 45-day timeline, to have an up-to-date data inventory to allow the teams or individuals in charge of fulfilling these requests to quickly and efficiently find the required information across enterprise shared drives and physical hard drives.

With all of that to work through, and data potentially changing hands a number of times, mistakes can happen. What if a company receives a request for deletion, but the data requested is already bound by another law or regulation, like a legal hold? Deleting data that could be relevant to anticipated or pending litigation can have devastating consequences, making it imperative that the DSAR process is harmonized with the legal hold process.

Similarly, cross-checking with other retention regulations (many of which might be industry-dependent) is another critical step—but only possible with an up-to-date library of those regulations as part of the process of verifying that data can be deleted.

Mistake #2: Not Including Paper in the Consumer Request Process

For many large and mid-size companies, file cabinets and paper records are still very much a reality. Enterprises that have been around for decades may still have unchecked boxes of documents and paper records that no longer serve a business purpose. However, it's still data—it still needs to be produced during a consumer request—and paper records have played a key role in recent data privacy litigation. Why? Because paper records can be hard to produce.

The CCPA doesn't delineate between electronic and paper data. With concerns over litigation already mounting for many GCs due to COVID-19, employee termination suits in which attorneys are seeking large settlements make it difficult for businesses to produce everything, so they're likely to continue.

Whether it's paper or digital, the question for most businesses remains the same: Why is the data being retained in the first place? Has its business purpose been fulfilled? If so, it's a hazard to keep it, plain and simple. Lax enterprise retention enforcement has the potential to become an even bigger problem for some organizations, however, as retention standards also play a key role in the third mistake companies are making.

Mistake #3: Retaining Too Much Data, and the Risk that Breaches Represent

If high-profile data breach cases ranging from Equifax to the more recent CCPA class-action suit against Hannah Andersson weren't enough to make GCs think twice about their organization's retention policies, it should be clear: Data you don't have can't be breached. You don't have to protect data you don't have. And you don't have to spend time fulfilling consumer requests for deletion if retention standards are in place and enforced.

Although the best-case scenario is that a company doesn't suffer a breach, they actually occur on a somewhat regular basis. While the majority of them aren't cataclysmic, the breach violation costs under the CCPA and GDPR make it clear that holding too much organizational data is a timebomb waiting to happen. While the CCPA doesn't have a retention standard the way that the GDPR does, the fine of up to $750 per data subject showcases what an unsustainable cost a data breach of 10,000 individuals or more could begin to pose.

We're still early in this new era of data privacy regulations, but we've seen enough evidence that building and enforcing retention policies can help prevent enterprises everywhere from becoming the next big headline.

Rebecca Perry is the Director of Strategic Partnerships at Exterro, the leader in helping companies manage their information compliantly and defensibly – in compliance with data privacy and cybersecurity regulations like the GDPR, NYS DFS, CCPA and others. Rebecca has been with Exterro more than 25 years helping legal, compliance, privacy and IT executives in the areas of information governance, data mapping, data minimization, records retention and third-party diligence. She manages the Alliance Partnership with the Association of Corporate Counsel and builds strategic relationships with leading law firms.