Data Privacy in California: Practical Steps You Can Take Now Before the CCPA Goes Into Effect
The California Consumer Privacy Act (CCPA) will go into effect on January 1, 2020. Is your business prepared and in compliance with the new law?
Our previous two posts in this series provided a general summary of the law and overview of the rights granted to California residents and the corresponding obligations for businesses based on those rights. This part of our series focuses on steps your business can (and should) take before the CCPA takes effect.
1. Determine if the CCPA – and any of its exceptions or exemptions – apply to your business.
Who the CCPA applies to is covered by our first post [https://www.aalrr.com/newsroom-alerts-3583], and it is important to determine how the CCPA will affect your organization. The CCPA also has certain exceptions and exemptions that cover certain situations.
Perhaps the most publicized is AB25 or the “Employee Exemption.” The CCPA excludes information gathered from job applicants and employees for the purposes of employment. It, however, does not completely absolve employers. The CCPA still requires that businesses comply with a consumer’s right to know and provide notice of the data being collected and the purpose of the collection, and still allows consumers to pursue a private right of action for data breaches. Another often-cited exemption is the “Business-to-Business Exemption,” which exempts from the CCPA consumer requirements communications between businesses that occur solely within the business conducting due diligence regarding, providing or receiving a product or service to or from, another business or organization. Businesses under this exemption, however, must still provide the opportunity to consumers to opt-out if they sell information. Both the Employee Exemption and the Business-to-Business Exemption, however, are only in effect for one year, and each expires on January 1, 2021.
There are also exceptions to the CCPA rights requirements applicable to certain types of information already subject to state or federal regulations, including Fair Credit Reporting Act eligibility information, motor vehicle and warranty information and information under the Driver’s Privacy Protection Act, HIPAA information, and information under the California Financial Information Privacy Act or the Gramm-Leach-Bliley Act. Furthermore, the CCPA includes exceptions where application of the statutory obligations would conflict with controlling state or federal law, including free speech protections under the First Amendment.
These exemptions and exceptions, however, are complex and nuanced and apply to types of information, not types of businesses or industries, so even companies that qualify for one of these exceptions will likely only be partially exempt. In short, although your company may not have CCPA obligations with respect to some of the personal information it maintains – or not all of the CCPA’s requirements will apply to that data – it is unlikely that a business otherwise subject to the CCPA will be wholly exempt by virtue of an exception under the law. If you have any questions about whether or how any CCPA exemptions may apply to your business, contact counsel for clarification.
If the CCPA does apply to your organization, it is necessary to inform your employees and collaborate across your entire business to train them on how to implement CCPA procedures.
2. Determine what data you have and the system(s) where you keep it.
It may sound like common sense, but many businesses do not know the extent of the data they have or where it is stored. It is essential to know the data your business or organizations has, where it comes from, how it is organized on your system(s), and where it is stored (whether internally or on external servers). If you also collect offline data, make sure you are also taking it into account. This is often referred to as “data mapping.” Moreover, determine if you share the data you collect and, if so, with whom, and determine if your business “sells” any data.
This is a critical component of risk management, but it is also crucial for any privacy and data security compliance program, including for responding to consumers requests under the CCPA (for a greater discussion of those rights, see part 2 of our series [https://www.aalrr.com/newsroom-alerts-3589]). A business cannot disclose, manage, or protect its data if it does not know what it has.
The second part of knowing your data is minimizing it to eliminate any unnecessary risk. Know how long you are keeping data and why, and evaluate whether you can minimize your exposure to potential data breaches by deleting any data you do not need for the normal operation of your organization or to comply with applicable laws and regulations.
3. Update your privacy policy, notifications, and website.
If the CCPA applies to your organization, make sure you update your privacy policy and notification to employees. Your privacy policy should outline specifically what personal data you collect, why you collect it, and for what purpose. It should also make clear details on how consumers can exercise their rights under the CCPA and contact information at your organization. This includes, at the very least, setting up a toll free number where consumers can direct their request.
You should also update your website to reflect changes to these policies and provide a link to you updated policies, as well as an opt-out link, if applicable, for consumer to opt-out of the sale of their personal data. If your organization collects information from minors, you will also have additional obligations.
4. Implement a process to respond to consumer requests.
The CCPA gave California consumers the right to request and access information collected about them, and the right to deletion of that data (with some limitations), [discussed further https://www.aalrr.com/newsroom-alerts-3589]. Covered organizations under the CCPA should implement a response system to consumer requests to ensure your ability to handle consumer requests for data and deletion. Businesses are required to provide answers to consumers within 45 days, free of charge. The CCPA requires that organizations establish two or more designated methods for consumers to submit inquiries, including at a minimum a toll free number unless the business exclusively operates online. Make sure you read the CCPA guidelines to understand your legal obligations, and contact counsel for guidance, if necessary.
5. Review and update your cyber security procedures.
Ensure you have reasonable data protection measures in place to protect against any potential breaches and malicious activity. The CCPA not only gives the California Attorney General power to impose civil fines, but also provides California consumers the ability to pursue a private right of action for data breaches, which includes the possibility for statutory damages, that occur at your company as a result of a failure to maintain security procedures and practices. As such, it is critically important to strengthen your data security measures and review your current strategies in place to prevent breaches and further mitigate risk because any breach under the CCPA could result in significant financial liability.
6. Address vendor and third party data risks and contracts.
If the CCPA applies to your organization, you need to asses with whom you are sharing consumer information, and why. If you share data with outside third parties such as vendors and service providers, updating your vendor or customer contracts is a critical step to comply with the law, as well as limiting your organization’s potential liability. Your contracts with such outside third parties should expressly state the requirements that vendors will not sell personal information, as well as provide additional assurances and protections for your organization in the event of a data breach at or by the outside third party.
Moreover, to comply with the CCPA, contracts with service providers must: (1) specify the business purposes for which shared personal information will be processed, (2) prohibit the service provider from “selling” the personal information, and (3) prohibit the service provider from retaining, using, or disclosing the personal information outside of the direct business relationship and for any purpose other than what is specified in the contract.
Organizations covered by the CCPA should also consider updating their contracts with “third parties” that are not defined as service providers. The CCPA provides that “[a] third party shall not sell personal information about a consumer that has been sold to the third party by a business unless the consumer has received explicit notice and is provided an opportunity to exercise the right to optout.” Businesses should consider whether to delineate responsibility or processes for meeting these requirements in updates of contracts with third parties or limiting third parties from selling the information.
Conclusion
Contact the team of data privacy and CCPA attorneys at Atkinson Andelson Loya Ruud & Romo to help you navigate the very complex regulations of the CCPA and ensure your business is ready and CCPA-compliant. If your business is faced with a CCPA enforcement action or lawsuit in the New Year, AALRR has a team of data privacy litigators well-versed in the CCPA and related law ready to step in and defend you.
More to come—stay tuned for part 4 of this series in the New Year, where we will be discussing enforcement and litigation under the CCPA.
This AALRR alert is intended for informational purposes only and should not be relied upon in reaching a conclusion in a particular area of law. Applicability of the legal principles discussed may differ substantially in individual situations. Receipt of this or any other AALRR presentation/publication does not create an attorney-client relationship. The firm is not responsible for inadvertent errors that may occur in the publishing process.
© 2019 Atkinson, Andelson, Loya, Ruud & Romo
Attorneys
Partner562-653-3200