Organizations around the globe are now thinking about the California legislature’s passage of its sweeping data privacy law, which will become effective January 1, and the impact it will have on their operations in the Golden State. The California Consumer Privacy Act of 2018 (CCPA), is designed to provide broad, strict protections for personal data of California residents. With more than $3 trillion in annual gross state product, California’s economy is the fifth largest in the world, meaning that corporations with any level of exposure to U.S. markets likely have a data footprint in California.
As many multi-national organizations have already experienced, the EU’s GDPR fundamentally changed the way many businesses manage personal data. The CCPA, which provides privacy rights centered around notice, access and consent for California residents, is like GDPR in numerous ways. It will introduce new fines for non-compliance and lawsuit parameters for residents impacted by illegal processing or mishandling of their data.
Revisions have been ongoing, with efforts by various groups to both strengthen and weaken the law. The current version states that the regulation applies to companies that do business in California and meet one or more of the following: 1) annual gross revenues exceeding $25 million; 2) buys, receives, sells or shares the personal information of 50,000 or more California consumers, households or devices; 3) derives 50 percent or more of its annual revenues from selling consumers’ personal information.
A number of amendments were advanced in July, and on September 13, many were approved and sent to the governor’s desk. AB 25 passed, providing a one year exemption for data collected for employment purposes (from individuals including employees, job applicants, business owners and contractors) from the law’s consumer protections. The toll-free number exception (AB 1564), which permits certain businesses to offer only an email method of contact for consumer requests; and the data broker registration amendment (AB 1202) were also approved. Some technical corrections moved forward, included in AB 1355, to provide a one-year moratorium on business-to-business communications and exclusion of de-identified and aggregated data from the definition of personal information. Notably, AB 846, which clarified the law’s anti-discrimination limitations, AB 2181 regarding disclosure of the use of facial recognition technology and AB 981 to exempt insurers from CCPA, were all denied.
While many of the amendments alleviated some of the burdens associated with CCPA, compliance will still involve a substantial update to processes and workflows. Organizations must prepare for the impact the law will bring to their business now, understand obligations and take steps to modify processes accordingly. Key initiatives, which can help reduce regulatory, operational and reputational risk, while establishing preparedness for CCPA enforcement, include:
- Readiness and Risk Assessment: As a first step, teams should conduct an evaluation of their existing programs and readiness through the lens of the new law. This includes examining other regulatory oversight that may overlap or coincide with the CCPA, how privacy is regulated among third parties with which the organization shares data and any impeding or expected M&A activity that will impact the data landscape.
Working with privacy experts and executive leadership, create a comprehensive and targeted definition of privacy’s reach across the organization. The strategy should account for the company’s attitude toward risk and any emerging risks on the horizon (from new business channels, partners, regulations, etc.).
- Data Mapping: Creating an extensive map of the organization’s data allows teams to identify the areas of greatest risk, as well as data lifecycles across various systems. Be sure to include an extensive understanding of the regulatory risk exposure with respect to that data and how the compliance obligations impact products, services, business processes, internal systems, external third-party relationships, etc. This will help inform where remediation is most needed.
- Update Privacy Notices: Work with counsel and privacy experts to develop compliant notices that include 1) a description of consumer rights under the law, 2) a comprehensive list of third parties to whom the business sells personal information, 3) categories of third parties to whom the business discloses personal information for business purposes. Privacy notices must be in place by January 2020 for consumers and by January 2021 for employees.
- Manage Consent and Document Personal Data “Sales”: Clear and conspicuous consent/opt-in requests and a “Do Not Sell My Personal Information” link on the company website is essential. Implement a process for handling do not sell requests and make it easy for consumers to navigate. Review vendor contracts to ensure that the sale/use of personal information is limited within the confines of the law, and that data rights requests implicating this information can be responded to and executed in a timely manner. Automate the management of consumers’ opt-out preferences and programs that incentivize consumers to provide consent for the use/sale of their data.
- Prepare to Respond to Data Rights Requests: Provide a toll-free telephone number and/or email address where individuals may submit data access requests. Develop a standardized workflow for fielding requests and prepare an outline that includes authenticating the person(s) making the request and process flow for handling access and deletion of data according to the request.
- Training and Awareness: Company-wide awareness is critical, alongside tailored, ongoing training that supports employees in adopting and sticking to new ways of handling and managing data. Programs should also have built-in monitors to track compliance and flag when additional education is needed.
The good news is that the information governance and privacy programs necessary to meet CCPA’s requirements can bring numerous benefits to the organization, beyond data privacy compliance. Teams should also remember that these initiatives are a more of a marathon than a sprint, and should be approached at a steady pace, taking the process one “mile” at a time. By approaching programs in intervals, organizations can better benchmark their progress, and be in position to cross the finish line successfully, by the time enforcement begins.