The CCPA “Look Back” Requirement
A provision in the upcoming California Consumer Privacy Act (CCPA) will make the regulation retroactive once it goes into effect… meaning it’s effective now. Bill Tolson of Archive360 discusses what organizations can do now to move toward CCPA compliance.
The California Consumer privacy Act (CCPA) was passed last year (2018) with an effective date of January 1, 2020 – assuming no federal actions (check out the blog titled “Will the New California Consumer Privacy Act Stand?” for potential federal actions).
Who does the CCPA affect?
Simply put, the CCPA protects all California residents whether they are consumers, employees or business contacts. In hindsight, with the passage of the EU’s GDPR privacy regulation, many organizations didn’t think they needed to worry about it until much closer to the effective date of May 25, 2018. In fact, there are still many companies that aren’t in compliance. This wait-and-see strategy turned out to be a risky strategy for many companies because they didn’t fully understand the implementation complexities involved. They were not considering the potential startup costs, implementation turnaround times and the new processes needed to put it in place. Implementation readiness for the CCPA has already put many companies in an untenable position; they may already have dug themselves a hole it will be difficult to climb out of.
Most companies aren’t yet aware of the fact that their responsibilities for CCPA readiness begin well before the planned January 2020 implementation date. I am speaking of the “look back” requirement.
The look back requirement of the law allows California citizens to ask for their information on January 1, 2020 – for the previous 12 months. Companies should be able to find and report on what consumer data exists, how it’s being used and if it’s been sold to third parties. Also, the consumer can demand its disposal if the company is not required to keep it for regulatory or legal reasons. Ideally, beginning on January 1, 2019 (already past) companies should already have been capturing and managing consumer data in such a way as to ensure it can be found, culled and deleted quickly if needed. The current requirement is a business must respond to a consumer’s verified request for information within 45 days (subject to extension under limited circumstances). Many companies will not be able to fully respond correctly, raising the possibility of fines.
What does this mean for my company?
Companies that have not begun CCPA planning and implementation should take this risk to heart and get started immediately. The following topics should be addressed in your CCPA planning:
- Records/information management: Are you managing ALL data that contains California residents’ personally identifiable information (PII)? A best practice is to consolidate all PII (not just Californians’) into a single repository to make searching faster/easier and to ensure no copies are floating around, which would violate the CCPA if not deleted when asked. Ensure your systems are set up to index and search for PII based on residency.
- Create a CCPA team for fast/complete response: The time frame to react to a PII request is limited, so having a tested process in place will greatly reduce noncompliance liability.
- Data deletion: How PII is deleted from your systems is important. Simply hitting the delete button is not a true deletion – meaning unrecoverable. Companies should install deletion technology that ensures PII is completely unrecoverable, otherwise it could be considered still available and in violation of the CCPA.
- Data encryption: The best insurance policy against both GDPR and CCPA noncompliance is utilizing encryption/anonymization with all PII. Many privacy laws, including the GDPR and CCPA take the position that if PII is encrypted and the encryption keys were not stolen/hacked, then even if the data was accessed, it could not have been usable and therefore not in violation if data is inappropriately accessed.
We’ll Take Our Chances
Some CIOs have the attitude that they don’t need to worry about the CCPA because the chances of a California citizen asking about their PII from a small company in another state is particularly low – a bad idea. The chances may be low, but they’re not zero, and the benefits of CCPA preparation (listed above) actually provide obvious benefits to companies beyond that of CCPA risk reduction, such as better information management.
If your organization has not started yet, you still have time to get your company ready. Working with vendors focused on this area will help to get ahead of these challenges to ensure administrators are ready on January 1, 2020.