The California Consumer Privacy Act went live on January 1, 2020, leaving many companies scrambling to prepare. The law will impact an estimated 500,000 companies, although many suspect the reach of the regulation will be much larger.
Below are some quick tips to get your company CCPA ready!
What is an overview of CCPA?
CCPA (California Consumer Privacy Act) is a broad regulation that applies to for-profit entities that
- Collect personal consumer information,
- Do business in California, and
- Meet any one of the following: gross revenue greater than $25 Million; data transfers of 50,000 or more consumers, households, or devices; and/or are a sizeable data broker.
To meet the "doing business in California" threshold, companies do not actually need to be operating in Cailfornia. For example, they will satisfy this prong if they maintain mailing lists that include California residents, ship goods to California, or collect digital user information about California residents. Given the population of California is 50M, this puts a ton of businesses at risk.
Finally, in-house counsel should be aware that the definition of personal information is very broad. The definition is any information that "identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”
What have we learned from GDPR?
Have a game plan. Companies are all over the board in terms of their compliance. Some are fully compliant, others are waiting to see how the regulatory landscape plays out. Even if your company is in the latter category, make sure you're keeping up-to-date with what work needs to be done in the future.
Subsidiaries. Many companies have a variety of business units and/or subsidiaries to keep track of. This can oftentimes mean that the compliance function, contracts, and vendor compliance programs are disconnected. Make sure that you have a team member who is responsible for ensuring compliance across all areas of your business.
Where is your data? Figure out where your data is housed! This is oftentimes a very tricky question for companies to answer because data is housed not only in your own internal tools but across a variety of vendors and suppliers. Consider bringing in a data privacy consulting firm if your internal team is unable to do this.
What is personal data? Do training!! The first step to empowering your team (both the legal team and other business functions) is making sure they understand the foundations of the regulation.
Pace Yourself. Don't attempt to tackle all areas of privacy compliance at once. We'd recommend working with leadership to develop a privacy compliance roadmap so that you're setting achievable and realistic goals for your compliance program.
Give leadership options. Management is often concerned with how much compliance programs will end up costing the company. In addition to compliance vendors that may need to be brought in, the cost of training staff, locating data, and bringing business processes and systems into compliance can be costly. To mitigate this, ensure that you're giving leadership multiple options for tackling privacy compliance problems.
Tackle high-risk areas first. Companies are typically in a stronger position if they tackle the most important areas of compliance first. Those areas include: data subject access requests and breach response.
What are the biggest risks of not being compliant with CCPA or GDPR?
- Bad Press - failing to be compliant may put your company at a risk of negative PR or loss of consumer trust
- Fines - $$$
CCPA / GDPR Compliance Plan
Below you'll find a roadmap for getting your company into data privacy compliance. This model can be adjusted for your individual company's needs.
Phase 1: Present State Analysis
- Meet with internal data privacy stakeholders, including CCO, CRO, CPO
- Meet with divisional heads, including any business function that is likely to have data from consumers (marketing, HR, sales)
- Define what "success" looks like for your company's data privacy compliance program
- Create a privacy team, this should include individuals from legal, compliance, and operations
- Identify and review existing privacy policies, terms of service, consumer communications, and privacy notices - these will need to be updated
- Map all internal and external places where consumer data is stored
- Map all external vendors that you are sending consumer data to
- Review systems and agreements with 3rd parties who you are sending or sharing data with
Phase 2: Plan + Recommendations
- Complete an implementation plan and timeline - this should essentially be a roadmap to compliance
- Create a playbook that documents all policies, procedures, vendors, data-sharing agreements, vendor agreements, privacy policies, and privacy notices that will need to be updated.
- Present your implementation plan to senior leadership, and get agreement on the plan
Phase 3: Implementation
- Update internal policies, training, and procedures
- Work with all business functions to establish a "privacy by default" mentality in all products. Note that you may need to do training with these groups to get buy-in.
- Update contracts with third parties to include data processing agreements and any additional data privacy terms that may be necessary to come into compliance
Phase 4: Maintain
- Setup a privacy compliance team who will maintain and respond to consumer requests related to GDPR, CCPA, or other regulation
- Establish key success metrics for your privacy program
- Report to compliance regulators