California CCPA / CPRA

Begin developing a CCPA compliance strategy now. The CCPA took effect January 1, 2020.

Identify a lead sponsor and cross-functional team. Complying with CCPA will require input initially and on an ongoing basis with departments such as marketing, product, IT, HR, finance, customer support, security, privacy, and legal.

Identify the resources needed (such as software tools, attorneys, and consultants)required to help with compliance.

Establish and/or review privacy training. As employees move between roles, it will be imperative to train employees and create a standard operating procedure for honoring individual rights.

Start the data mapping process. Understand the data you collect that qualifies as personal information under the CCPA. Where do you host your data (including with any third parties), and for what purpose is it used? This exercise is especially crucial to determine if you collect and sell data on children. If so, data collected on children under the age of 13 requires opt in with parental consent. Children 13-16 also requires consent directly from the child.

An individual has the right to understand details regarding how their data is processed (disclosure) and the right to access the categories of personal information collected. An individual also has the right to deletion; if any consumer requests their personal data be deleted, a business must delete all records (with some exceptions) of a consumer and direct service providers to do the same. This step may be the most complex under CCPA to implement. Businesses will need to establish training, processes and procedures and identify third parties that need to be involved to ensure compliance.

Under the New Hampshire privacy law, a privacy notice must include:

• The categories of Personal Data processed;
• The purpose for processing Personal Data;
• The categories of third parties with which Personal Data is shared;
• The categories of Personal Data that are shared with third parties;
• The methods for a consumer to exercise their rights (see below) and appeal a decision on their rights request;
• An active email address or other electronic method for a consumer to contact the company

Individual rights are a key aspect of CCPA.

An individual also has the right to opt out from the sale* of personal information. Businesses selling PI will need to put controls in place to manage the opt-out requests and also a process to capture subsequent authorization if the consumer changes their mind. One of the controls CCPA mandates is that businesses create a separate “Do Not Sell My Personal Information” webpage with an obvious path from their homepage that directs consumers to opt out of the sale of their personal information.

*^{Selling is broadly defined under the CCPA: “selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to another business or a third party for monetaryor other valuable consideration.”}

Understand the full lifecycle of a data record. CCPA requires ‘reasonable’ security measures, and performing a thorough privacy and security assessment for each service provider will help mitigate any mishandling of personal data.

Transparency is critical under CCPA.

Update your privacy notices to specifically state what data is collected, explain the purpose for the data’s use, identify third parties with which that data is shared, and communicate the rights available to an individual about their personal data.

New privacy regulations will continue to roll out. Already, 10+ states are evaluating a law similar to CCPA, and Brazil’s General Personal Data Protection Act (Lei Geral de Proteção de Dados or LGPD) takes effect in August 2020. Create adaptive and agile processes to help your company remain both compliant and efficient in the wake of new privacy legislation. Prepare yourself with CCPA Compliance Solutions!