MDO | INSIGHTS
MDO | INSIGHTS
10 Tips for CCPA Compliance Before
January 1, 2020 Effective Date
■ ■ ■ December 4, 2019
Since 1972, the California Constitution has recognized the right to privacy as an inalienable right of individuals. On January 1, 2020, that right will be strengthened when the California Consumer Protection Act (CCPA) becomes effective.
The CCPA imposes a heightened level of scrutiny on businesses and considerable requirements on their collection, use and protection of consumer data belonging to Californians. Companies both inside and outside of California will be affected by the CCPA requirements.
The CCPA applies to companies doing business in California which exceed any of the following thresholds: (i) annual gross revenue of $25 million; (ii) handling personal information of 50,000 or more California residents, households, or devices annually; or (iii) derive 50% or more annual revenue from selling Californian's personal information.
Below are some important CCPA compliance tips that companies should adopt to help comply with the CCPA and minimize risk, fines and penalties. Violations of the CCPA may result in a private right of action from $100 to $750 per consumer per incident or actual damages. The California Attorney General can also proceed to seek penalties of $2,500 per violation, or $7,500 per violation if intentional.
1) Document the "Personal Information" (PI) You Collect
Companies should document what type of PI they collect, where it originated, and who they share it with. Under the CCPA, "personal information" means non-public "information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household," (e.g. names, aliases, unique personal identifiers, postal, IP, and email addresses, account names, social security, passport, and driver's license numbers, etc.). The CCPA's definition of PI also includes commercial information such as "records of personal property, products and services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies."
Generally, companies should develop a "Data Map" of what and where all of their customer's PI is stored, and a "Data Flow" that provides a visual illustration of how such PI is stored, used, processed, transferred and disposed.
2) Determine and Disclose How Data is Stored and Processed
All companies subject to the CCPA are required to disclose to individuals how they store and process the PI collected. For that reason, and for cybersecurity reasons, it is advisable that every company select the most appropriate data storage option for their business, whether on a company's server or with a third-party data storage provider, including taking measures such as encryption. The key is to disclose it and explain how this decision was made.
3) Issue a Clear and Concise Privacy Notice
Companies need to explain how they are complying with the CCPA. The best way to communicate such compliance is by issuing a clear and concise Privacy Notice to the individuals whose PI it collects. The CCPA requires that the notice be easy to read and understandable to an average consumer. The language must also draw the consumer's attention and be straightforward. The Privacy Notice should address:
What is the CCPA;
Why it applies to your company;
What measures your company is taking to comply; and
How the individual can contact you with questions or requests.
The CCPA also specifically calls for a privacy link on the homepage of any covered entity's website. It must be "clear and conspicuous," titled "Do Not Sell My Information," and linked to a page that allows consumers to opt out of having their PI sold.
Be provided at or before collection of PI;
Indicate the categories of the PI collected;
Describe consumers' rights regarding their PI;
Indicate the specific purpose for which PI is collected, how such data is stored, processed and used, as well as the categories of third parties whom it is shared with.
Internally, companies should revise contracts with third parties for CCPA compliance and, if not selling PI, clarify in written contracts with business partners that PI is not communicated for consideration.
5) Obtain Consents to Sell PI
The CCPA requires companies to secure specific opt-out consent from individuals regarding the sale of their PI collected. Accordingly, companies must provide the mechanism for obtaining and documenting such consents at any time they collect PI. Companies subject to the CCPA need a "Do Not Sell My Personal Information" link and an opt-out page. Additionally, the CCPA specifically outlines that companies must obtain consent from a guardian to sell PI from a consumer under 13 years old.
6) Deliver CCPA Training
Training is a critical component to any effective compliance program. With the changes to the privacy policies and procedures under the CCPA, it is important for companies to provide specific training to their key personnel to ensure they will abide with the new protocols designed to comply with CCPA. Companies should invest the time and resources to prepare and deliver thorough training on key privacy policies and procedures to employees.
7) Review and Update Vendor Agreements
Under the CCPA, a company may be held liable for violations by its third-party agents who receive PI of customers on their behalf. Companies may also be viewed as "selling" PI of customers to vendors based on the broad definitions under the CCPA. As such, it is important for companies to review and update applicable agent and vendor contracts to ensure their compliance with the requirements to collect, use, store and process PI for customers in accordance with the CCPA. Alternatively, companies may consider clearly defining responsibilities and limiting access to customer PI for such agents and vendors, so that such requirements do not extend to such contracting parties.
8) Prepare to Honor Privacy Rights
Under the CCPA, individuals have broader rights over their PI stored by a company. As such, companies should be prepared to respond to individuals who exercise such rights, including the rights to:
Have their personal data deleted;
Know what PI is being collected on them;
Know if that information is being sold and to whom;
Opt out of that information being sold;
Obtain a copy of their PI;
Receive equal service and price regardless of whether they exert the above rights (meaning companies must not discriminate against a consumer because the consumer exercised any of the consumer's rights under the CCPA); and
Sue for damages if their PI is breached.
In addition, companies must provide the contact information for the person or department responsible for data collection and storage in the company. Companies that operate online and offline need to also provide a toll-free number for customer contact regarding their PI.
9) Maintain Records of Compliance Efforts
The CCPA imposes serious fines on companies that fail to comply with the law's requirements. For that reason, companies should maintain adequate records of their compliance efforts, including any updates to policies and procedures, logs of trainings delivered, investigations and reporting of data breaches. Doing so, will strengthen a company's defense in the event an individual or government agency challenges your compliance with the CCPA or the adequacy of your privacy compliance program.
10) Establish Data Breach Response Procedures
The CCPA allows consumers to seek damages for breached PI if it is the "result of the business' violation of the duty to implement and maintain reasonable security procedures and practices." Moreover, before the CCPA, California Law already required companies to notify any California resident whose PI has been breached. To address these requirements, companies should establish data breach response procedures to help detect, report and investigate data breaches.
In light of the enforcement of CCPA, it has become critical for companies to enhance their Privacy and Data Protection Compliance Programs. Companies should be updating their policies and procedures to protect sensitive information and personal information. MDO Partners encourages companies to adopt the tips outlined in this article and assess what other privacy measures may be required to comply with CCPA and other applicable privacy laws. Our attorneys and advisors have experience advising clients on privacy as well as cybersecurity matters. We can assist companies in establishing effective privacy compliance programs.
About MDO Partners
MDO Partners is a boutique law firm that focuses on Corporate, International, and Real Estate Law, as well as Global Compliance and Business Ethics. The firm is comprised of a solid team of attorneys and advisors with more than 100 years of combined experience who are committed to the business goals and best interests of their clients. The firm delivers value-added services of the highest caliber and serves as a trusted advisor to its clients with a practical and business-savvy approach. For more information on MDO Partners, please visit www.mdopartners.com
If you have questions or comments regarding this Insights, contact the attorney listed below:
Richard Montes de Oca
PURPOSE | PASSION | PERFORMANCE
MDO | PARTNERS
175 SW 7th Street
Miami, FL 33130