Has GDPR washed up on the western shores of the United States? In some ways, yes. And in some ways, no.
On January 1, while most of us were nursing the results of the night before, California took the wrapping paper off of the California Consumer Privacy Act (CCPA). This sweeping act includes some of the most stringent requirements regarding the use and misuse of private data of California consumers—which is fitting, considering that, on its own, California would be the fifth-largest economy in the world, falling between Germany and the UK. Most US businesses have substantial ties to the state and its 39 million consumers.
With the footprint of California’s economy on the national stage, many organizations are looking at CCPA and wondering, “What do we do now?”
Here are five easy steps to take first.
1. Ask yourself, “Are we within the scope?”
The California legislature designed the CCPA with the consumer in mind. The law gives consumers the right to know what personally identifiable information (PII) is being collected, used, shared, or sold. It also grants them the power to have their PII deleted and the right to prevent the sale of their personal information to third parties. When consumers exercise their ability to limit the distribution of their PII or remove it altogether, the law secures their right to non-discrimination as a result.
So, how do you know if the CCPA applies to you? For one, the law applies to for-profit entities that do business in the State of California and who collect consumer PII or have it collected on their behalf. Additionally, these types of organizations must meet at least one of the following requirements for CCPA to apply:
1) Have a gross annual revenue of over $25 million OR
2) Purchase, receive, or sell the personal information of 50,000 or more consumers, entities, or households OR
3) Derive 50 percent or more of their annual revenue from selling consumer PII
California courts and the Attorney General’s Office are expected to provide more details around the definition of “doing business in California.” The California Attorney General has not provided this guidance yet but has created a short outline of consumer privacy rights.
In the meantime, if your organization has substantial or repeated transactions with consumers in California—even if your business isn’t chartered in California—and you fall into the other categories above, you would be well-advised to pay close attention to this law.
2. Map your data.
Whether for e-discovery, data security, or information governance purposes, organizations have been conducting data mapping exercises over the past several years. The result of these exercises is increased visibility and clarity into where data exists in the organization and what that data includes. This process is even more critical for compliance with CCPA.
In the event of a Data Subject Access Request (DSAR), §1798.130(a)(2) provides entities 45 days to turn over the relevant information to consumers when requested and at no cost to the requesting consumer. Knowing, in advance, where this information is stored will be critical for complying with the CCPA requirements.
If the data located as part of your audit process does not contain PII from California consumers—or you don’t meet the other obligations of CCPA applicability—your data mapping exercise won’t have been in vain. Having a solid perspective of your data landscape benefits you well beyond compliance with CCPA. It simplifies and clarifies your e-discovery processes, breach responses, and information governance in general.
3. Ensure your team knows about CCPA—even if you’re not in California.
As with GDPR, it is critical to inform those who touch, manage, or collect consumer data about the ramifications of the CCPA provisions relating to retaining, using, or selling consumer PII, especially those in California. But keep in mind that California is not the only state with data privacy provisions in place. Other states either have laws already enacted or are in the process of passing similar regulations. Nevada, New York, Maine, and North Dakota, for example, have more narrowly focused data privacy provisions, and Massachusetts, New Jersey, and Pennsylvania have data privacy bills that are in various states of enactment.
Although the penalties for each violation of the CCPA appear relatively small on the individual record level, when extrapolated across the total amount of potential records, a violation may be incredibly expensive. To keep up to date on the latest guidance on the application of CCPA, as well as new legislation from other states, education will be critical. Ensuring that your teams are knowledgeable and processes are modified to account for new requirements will be vital towards ensuring compliance.
4. Practice, practice, practice.
Although it may be well-intentioned, an established process yields few benefits if it isn’t followed. Putting CCPA compliance processes into action before they need to be called upon allows for the bugs to be removed from the system.
Having the right folks in your organization who understand the CCPA requirements, as well as developing internal processes and benchmarks, will be the most crucial step your organization can take to ensure compliance. Examples of these internal processes may relate to how data that may be subject to CCPA or other data privacy statutes are created, maintained, and destroyed. Additionally, it may make sense to create tabletop exercises simulating a DSAR request and benchmark the length of time required to isolate and deliver information to a requesting consumer.
Conducting tabletop exercises that replicate the conditions and requests of typical DSARs and allowing compliance procedures to play out in test scenarios will provide you with a benchmark standard for future reference.
5. Think two steps ahead.
Building awareness, benchmarks, and processes is the first step to CCPA readiness, but compliance is an ongoing process that varies as conditions vary. Building in milestones and touchpoints to revisit your benchmarks and procedures, as well as refreshing and educating your teams on the latest in data privacy laws, will ensure that your hard work today pays off in the future. At the onset, it might be advisable to meet on a very regular basis with a frequent cadence. Once the muscle memory of compliance sets in, these update meetings might become more spread out.
CCPA, as well as other data privacy laws, is not yet finely tuned. There will be more guidance as cases move into the courts and result in opinions. Keeping up to date on the latest in the real-world application of these data privacy laws will prove critical in ensuring your future compliance.
In the meantime, understanding your data, building meaningful processes, and educating your teams will benefit you far beyond your work in CCPA.