For example, a request might be recorded by a member of the customer support team, who then forwards the request to the privacy team, who then might make an assessment as to whether the request is valid, what laws are triggered, etc. Privacy might then have to create a ticket to IT, sales or marketing to make the requisite changes (e.g., deletion, opt-out, or portability). After the changes are confirmed, privacy might either handle the response themselves, or forward it back to the support team to contact the data subject. And all of this must be done within 45 days of receipt of the request, which, may seem like a long amount of time at first, but as any seasoned privacy professional knows, can go by in a flash if not managed well.
Of course, this is just one example—there are a number of different scenarios that need to be anticipated (e.g., web-form submission, in-person, email opt-out, etc.), and these scenarios and how they are to be handled should be mapped out in a standard operating procedure (SOP) to ensure accuracy and consistency in handling. In the end, it will make life much easier if decisions on how to handle different requests are made ahead of time, rather than on the fly.
Consent & Preference Management
The right to opt-out of the sale of personal information can be treated similarly to withdrawal of consent. A tool needs to be provided to consumers so that they can indicate their wishes in a clear and unambiguous way, and your organization needs to facilitate that process and respect the consumer’s wishes to opt out. Therefore, if your organization has already implemented a tool for consent and preference management, you could expand your use of that tool to this purpose as well, enabling the right to opt-out, while creating and managing records of those preferences.
Businesses are also responsible for ensuring that individuals responsible for handling consumer inquiries about privacy practices or CCPA compliance are informed and educated on how to direct consumers to exercise their rights.
From an operational perspective, this highlights the privacy team’s role in translating legal requirements for the workforce, facilitating the training process, and ensuring that the training actually works. For instance, will your employees know a data subject request when they see one? Will they know the workflow or standard operating procedure (SOP) and where to find it if they do not?
Again, if you have had any experience with GDPR or other privacy laws, you may already have training in place that you can expand to reflect some of the nuances of the CCPA, to ensure that you are covering all your bases at once.
Privacy by Design
Privacy by Design is a framework encouraging the proactive embedding of privacy into the design specifications of information technologies, network infrastructure and business practices, thereby achieving the strongest privacy protections possible. The term “privacy by design” was originally coined by Dr. Ann Cavoukian while she was the Information ad Privacy Commissioner of Ontario, Canada. Dr. Cavoukian broke PbD down into “7 foundational principles.”
An integral part of any privacy by design program is the privacy impact assessment (PIA)—a tool used to identify and reduce privacy risks, and ensure that you have considered the various privacy requirements and principles that a particular activity might be subject to. For instance, the CCPA specifically calls out the principles of notice, data minimization and purpose limitation, all of which can and should be examined in a PIA:
A business that collects a consumer’s personal information shall, at or before the point of collection, inform consumers as to the categories of personal information to be collected and the purposes for which the categories of personal information shall be used. A business shall not collect additional categories of personal information or use personal information collected for additional purposes without providing the consumer with notice consistent with this section.
To ensure that privacy is baked into the collection, use and disclosure of personal information, organizations should also consider delegating to privacy champions in different business teams who can help facilitate privacy by design efforts, such as in ensuring data minimization and purpose limitation in the development of new products and services, and in handling data subject requests.
The CCPA is a law unlike any other in the United States and will have a broad impact. Companies will need to begin preparing as early as possible to be ready to respond to the new rights provided to consumers, as well as to any potential changes to the law that could be made between now and January 1st, 2020.
1 While this article will not fully explore the issue of scope, it is important to note that the CCPA provides certain thresholds for companies doing business in California before they are considered subject to the law. According to research conducted by the International Association of Privacy Professionals, the law will affect an estimated 500,000 businesses.
2 The California Attorney General is expected to establish rules and procedures for identifying a ‘verifiable consumer request.’