No Result
View All Result
SUBSCRIBE | NO FEES, NO PAYWALLS
MANAGE MY SUBSCRIPTION
NEWSLETTER
Corporate Compliance Insights
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe
No Result
View All Result
Corporate Compliance Insights
Home Data Privacy

Suffering from CCPA Compliance Nightmares?

10 Steps to Taming the Beast that Keeps General Counsel up at Night

by Stacey Garrett
January 28, 2020
in Data Privacy
illustration of young boy sitting on bed facing a monster in a nightmare

If the prospect of complying with the California Consumer Privacy Act is keeping you up at night, start by taking these manageable steps, outlined by Stacey Garrett, to keep your organization in compliance.

You know it’s out there. Lurking. It’s that privacy thing.

More specifically, it’s the California Consumer Privacy Act, a first-in-the-United-States privacy law that gives California residents the right to know, access and delete personal information that businesses collect about them, and the right to opt out of having their personal information sold. (For an overview of the CCPA, the new rights it confers on consumers and the obligations it imposes on businesses, see “Countdown to California’s New Privacy Act” (September 2019).

But where to begin?  There isn’t much guidance on the CCPA. Maybe Congress will enact a federal privacy law and it all will go away in the morning?

Not likely. (Or at least not any time soon.) The CCPA is here to stay.

The CCPA Goes “Where No One Has Gone Before”

If you’re feeling like you are in uncharted territory, you’re not alone. The CCPA imposes obligations on businesses that are so new, California Attorney General has invoked Star Trek to describe them, saying that California’s new privacy law is going “where no one has gone before.” He’s not kidding. The CCPA borrows some concepts from existing United States privacy law and the European Union’s General Data Protection Regulation (GDPR), which went into effect in May 2018, and mixes things up with its own secret sauce.

The CCPA took effect on January 1, 2020, and although the California Attorney General will not begin enforcement actions before July 1, 2020, regulatory action and fines of $2,500 to $7,500 can be based on conduct that took place as early as January 2020. Attorney General Becerra has said that his office is focused on an enforcement strategy to ensure that the CCPA has teeth and that if companies are not operating properly, his office “will descend on them and make an example of them, to show that if you don’t do it the right way, this is what is going to happen to you.”[1]

On the other hand, Attorney General Becerra also has said that his office will “look kindly on those that … demonstrate an effort to comply.”[2]

If the CCPA is keeping you up at night, the best thing you can do is get started now. Document your efforts so that you can demonstrate your business’s good-faith efforts to comply, and develop a plan for your business’s compliance with the CCPA, starting with these steps.

10 Actions to Move Toward CCPA Compliance

1. Publish the Notices Required by the CCPA.

The CCPA requires businesses to publish “notices” informing consumers about the personal information the businesses collect about them. Businesses must provide these notices at or before the time the information is collected, and if businesses collect personal information offline (such as through security cameras), businesses must provide consumers with notice via a paper handout or prominent sign directing them to the web address where the notice can be found. Businesses also must explain any financial incentives that they offer in exchange for the retention or sale of consumers’ personal information, and they must explain that consumers can withdraw from the financial incentive at any time. Finally, businesses must inform consumers of their right to opt out of the sale of personal information and how to exercise that right. These requirements are explained in detail in the Attorney General’s draft regulations implementing the CCPA.

2.  Publish a California Privacy Policy that complies with the CCPA.

The CCPA requires a long list of disclosures in a CCPA-compliant privacy policy. The privacy policy must describe the categories of information that the business has collected about consumers in the last 12 months, the source of that information (by category) and whether the business has shared or sold the information with anyone. The privacy policy also must explain the consumers’ rights and provide instructions regarding how consumers can exercise those rights. The laundry list of required disclosures is contained in the Attorney General’s draft regulations.

And while you’re at it, now also would be a good time to make sure that the privacy policy meets the requirements of two more California privacy laws: the California Online Privacy Protection Act[3] and California’s “Shine the Light” Law.[4]

3.  Develop intake methods for consumer requests to know, delete and opt out.

The CCPA requires that businesses provide at least two ways in which consumers can submit requests to know, delete and opt out of the sale of their personal information. The most common submission methods are via a toll-free telephone number and an interactive web form (if the company operates a website). The toll-free telephone number and web form do not need to be dedicated solely for the purpose of receiving consumer privacy requests. If the business already has and uses a toll-free number for customer service and a web form for customers to contact the business, those existing systems can be used to receive consumer privacy requests. Businesses that sell personal information must also make two methods available for consumers to opt out. One method must be a web form accessible via a clear and conspicuous link titled “Do Not Sell My Personal Information” or “Do Not Sell My Info.” The link must be published on the business’s website or mobile application.

4.  Develop procedures to verify consumer identities.

The CCPA requires that businesses establish, document and comply with a reasonable method for verifying that the person submitting a request to know or delete is the consumer about whom the business has collected information. Whenever feasible, the business should match identifying information provided by the consumer with personal information of the consumer already maintained by the business or use a third-party verification service. Verification also can take place within a password-protected account. Businesses have some flexibility here.

5.  Establish a protocol for on time responses to consumer requests to know, delete and opt out.

The CCPA imposes a number of deadlines: Businesses must confirm receipt of consumer requests to know and delete within 10 days and must respond within 45 days; and businesses must act on consumer requests to opt out within 15 days. Consider automating these processes or, at a minimum, preparing standardized response letters to address repeat situations.

6.  Train employees who handle privacy inquiries.

Employees who handle consumer inquiries about the business’s privacy practices must be trained in the requirements of the CCPA and how to direct consumers to exercise their CCPA rights. Training usually can be accomplished in two hours, with follow-up on an as-needed basis. Make sure to keep a record of the training as evidence of the business’s good-faith efforts to comply with the CCPA.

7.  Document your procedures, and implement a records retention practice.

Keep a record of your procedures for handling consumer requests and responses, both for internal reference purposes and to demonstrate the business’s good-faith efforts to comply with the CCPA. Also, businesses must retain records of consumer requests and how the business responded to the requests for a period of at least 24 months. The records can be kept in a “log” format as long as all the required information is retained. The CCPA offers some flexibility here, so adopt the approach that is most efficient for your business.

8.  Review and amend your vendor contracts where needed.

All vendor contracts should be in writing. At a minimum, they should contain:

  • instructions for processing the data,
  • a clause prohibiting the vendor from retaining using or disclosing personal information for any purpose other than performing the services specified in the contract or the CCPA and
  • a requirement that the vendor implement and maintain reasonable security measures.

Where possible and accurate, the vendor contracts should document that the vendor is a “service provider” or a “third party” as defined by the CCPA, so the business’s disclosure of information to the service provider is not a “sale” of the information.

9.  Meet the digital and technical requirements of the CCPA.

The CCPA not only tells businesses what to do, it tells them how to do it. Businesses that sell personal information must publish a link to a web form that is clearly and conspicuously titled “Do Not Sell My Personal Information” or “Do Not Sell My Info.” The link must be published on the business’s website or mobile application. In addition, the privacy policy and the required notices on a business’s website must be available in the languages in which the business ordinarily provides contracts, disclaimers and sale announcements to consumers.

The privacy policy also must be available in an additional format that allows consumers to print it out as a separate document, and it must be accessible to consumers with disabilities. In fact, now is a good time for businesses to make sure that their entire website is accessible to people with disabilities. Several United States Courts of Appeal have held that websites that have a connection to a physical place of accommodation must comply with the Americans with Disabilities Act. Most recently, the Ninth Circuit reached this conclusion in Robles v. Domino’s Pizza, LLC, 913 F.3d 898, 905 (9th Cir. 2019). In California, the violations of the ADA also are violations of the California Unruh Civil Rights Act, which allows plaintiffs to recover damages of up to three times actual damages but no less than $4,000 per violation, along with attorneys’ fees. There currently is no legal prescription for web accessibility, but the Web Content Accessibility Guidelines (WCAG) 2.0 level AA are frequently referenced by courts as being the appropriate standard.

10.  Secure your data.

Businesses that maintain personal information about California residents are required to implement and maintain reasonable security procedures and practices to protect the information from unauthorized access, use, modification or disclosure. This is a critical requirement for businesses that maintain “sensitive” personal information (such as social security numbers, driver’s license numbers, account numbers, credit or debit cards, passwords, medical information and health information), because a breach of nonencrypted and nonredacted sensitive personal information that is the result of the business’s failure to maintain reasonable security measures can be the basis for civil actions seeking statutory damages of $100 to $750 per consumer per incident or actual damages, whichever is greater. These damages can add up very fast.

The CCPA doesn’t have to be a nightmare. Tackling these CCPA action items will go a long way toward putting your business on the path to compliance and a peaceful night’s sleep.

 


[1] “California AG says privacy law enforcement to be guided by willingness to comply,” by Nandita Bose, Technology News (Reuters) (12/10/2019).

[2] Id.

[3] Cal. Bus. & Prof. Code §22575(b).

[4] Cal. Civ. Code §1798.83.


Tags: Americans with Disabilities Act (ADA)California Consumer Privacy Act (CCPA)
Previous Post

The 2020 Landscape: What Boards Should Expect

Next Post

The Importance of Sponsorship for the Compliance Professional

Stacey Garrett

Stacey Garrett

Stacey Garrett is a shareholder of Keesal, Young & Logan and is located in Long Beach, California. Stacey is certified by the International Association of Privacy Professionals (IAPP) in the areas of United States and European Union privacy law and also holds certifications in privacy management and technology. Stacey graduated magna cum laude from the University of California, Hastings College of Law and is a member of the Order of the Coif. Stacey is admitted to practice law in California, Nevada and before the Supreme Court of the United States. You can connect with Stacey on LinkedIn.

Related Posts

minidata_b

Honey, I Shrunk the Data: How to Keep Customer Info on a Need-to-Know Basis

by Parker Poe
November 30, 2022

It may be tempting to hoard the data you have gathered on your customers, but an increasing number of regulations...

cpo and ciso

Allies in Privacy, Security & Compliance: Why Closer Collaboration Between CPOs and CISOs Benefits Everyone

by Maria D'Avanzo
September 28, 2022

As a former chief privacy officer (CPO) of a publicly traded commercial real estate services firm, Maria D’Avanzo worked in...

ada title ii web accessibility

DOJ Rules Coming on Web Accessibility for State, Local Governments; Businesses Should Pay Attention, Too

by Kristina M. Launey and John W. Egan
August 31, 2022

An effort that began in 2010 under the Obama Administration — establishing web accessibility regulations for state and local governments...

snooping on private data

Survey: Leaders Claim to Be Ready for State Privacy Laws; Few Actually Are.

by Staff and Wire Reports
June 29, 2022

With state laws looming, where do companies actually stand today? A Womble Bond Dickinson survey examined current corporate preparedness along...

Next Post
illustration of mentor placing ladder for businessman

The Importance of Sponsorship for the Compliance Professional

Compliance Job Interview Q&A

Jump to a Topic

AML Anti-Bribery Anti-Corruption Artificial Intelligence (AI) Automation Banking Board of Directors Board Risk Oversight Business Continuity Planning California Consumer Privacy Act (CCPA) Code of Conduct Communications Management Corporate Culture COVID-19 Cryptocurrency Culture of Ethics Cybercrime Cyber Risk Data Analytics Data Breach Data Governance DOJ Download Due Diligence Enterprise Risk Management (ERM) ESG FCPA Enforcement Actions Financial Crime Financial Crimes Enforcement Network (FinCEN) GDPR HIPAA Know Your Customer (KYC) Machine Learning Monitoring RegTech Reputation Risk Risk Assessment SEC Social Media Risk Supply Chain Technology Third Party Risk Management Tone at the Top Training Whistleblowing
No Result
View All Result

Privacy Policy

Founded in 2010, CCI is the web’s premier global independent news source for compliance, ethics, risk and information security. 

Got a news tip? Get in touch. Want a weekly round-up in your inbox? Sign up for free. No subscription fees, no paywalls. 

Follow Us

Browse Topics:

  • CCI Press
  • Compliance
  • Compliance Podcasts
  • Cybersecurity
  • Data Privacy
  • eBooks Published by CCI
  • Ethics
  • FCPA
  • Featured
  • Financial Services
  • Fraud
  • Governance
  • GRC Vendor News
  • HR Compliance
  • Internal Audit
  • Leadership and Career
  • On Demand Webinars
  • Opinion
  • Resource Library
  • Risk
  • Uncategorized
  • Videos
  • Webinars
  • Well-Being
  • Whitepapers

© 2022 Corporate Compliance Insights

No Result
View All Result
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe

© 2022 Corporate Compliance Insights

Welcome to CCI. This site uses cookies. Please click OK to accept. Privacy Policy
Cookie settingsACCEPT
Manage consent

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
CookieDurationDescription
cookielawinfo-checbox-analytics11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional11 monthsThe cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy11 monthsThe cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
Functional
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Performance
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Analytics
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Advertisement
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
Others
Other uncategorized cookies are those that are being analyzed and have not been classified into a category as yet.
SAVE & ACCEPT