Conceptual image about how a laptop computer with internet open a virtual door to worldwide information sharing.Saturday, November 2, will mark 60 days until the California Consumer Privacy Act (CCPA) goes into effect. While each organization will have its unique compliance challenges, as discussed below, there are a discrete set of tasks – at a minimum – that each organization needs to undertake in the next 60 days as the first steps toward compliance.

In addition, on November 13, members of Husch Blackwell’s privacy and cybersecurity practice group will present a webinar to discuss these tasks in greater detail.  For more information or to register, click here.

1) Analyze: Does the CCPA apply to your organization?

The CCPA’s scope is incredibly broad but not limitless. As a threshold matter, organizations should analyze whether the CCPA’s definition of “business” covers their organization.

2) Inventory: Do you know what personal information flows into and out of your organization?

At its core, the CCPA requires organizations to disclose the types of personal information that they collect, the purpose for that collection, and whether that personal information is shared with other entities. Understanding how data flows in, out and within your organization is an indispensable step in the compliance process and will allow you to prepare consumer notices and respond to consumer requests. The inventory process can be streamlined by using Husch Blackwell’s CCPA Data Inventory Tool.

3) Prepare: Have you prepared consumer-facing disclosures?

Organizations subject to the CCPA will need online privacy policies by January 1 that comply with the numerous new and complex requirements. A notice at point of collection and a notice of right to opt-out may also be required. Given that these notices need to be posted online, organizations will need to make sure that the notices and the technology to present them is up and running by January 1 (or risk a public showing of non-compliance).

4) Create processes: Can you respond to consumer requests?

As of January 1, organizations subject to the CCPA must provide California residents a mechanism to submit requests to delete their information and/or access specific pieces of personal information that organizations are holding. California residents may also submit requests to opt-out of an organization’s sale of personal information to third parties. The CCPA and the California Attorney General’s proposed regulations have specific requirements on how these requests must be received, how organizations must verify the identity of an individual making certain types of requests, and how organizations must respond to those requests. These specific requirements need to be integrated before January 1 so that organizations can timely respond to these requests. Organizations also need to make sure that they provide CCPA training to relevant employees.

5) Update agreements: Have you secured data-sharing agreements with service providers?

The CCPA draws a sharp distinction between personal information that is shared with “service providers” and personal information that is shared with “third parties.” Organizations should review data transfers to determine whether the recipients should be classified as service providers or third parties and the legal implications of those designations. For any entity that can be classified as a service provider, organizations will need to enter into CCPA compliant data-sharing agreement with those entities.

Print:
EmailTweetLikeLinkedIn
Photo of David Stauss David Stauss

 

David is co-leader of Husch Blackwell’s national privacy and cybersecurity practice group. He routinely counsels clients on responding to data breaches, complying with privacy laws such as GDPR and the California Consumer Privacy Act, and complying with information security statutes. He also …

 

David is co-leader of Husch Blackwell’s national privacy and cybersecurity practice group. He routinely counsels clients on responding to data breaches, complying with privacy laws such as GDPR and the California Consumer Privacy Act, and complying with information security statutes. He also represents clients in data security-related litigation. David is certified by the International Association of Privacy Professionals as a Certified Information Privacy Professional (US), Certified Information Privacy Technologist, and Fellow of Information Privacy.

Photo of Bob Bowman Bob Bowman

Bob advises clients on a range of intellectual property issues and keeps them current on emerging technologies. Bob is a forward thinker who keeps up with the changing landscape of technical innovation and the law surrounding the Internet of Things, blockchain, smart contracts

Bob advises clients on a range of intellectual property issues and keeps them current on emerging technologies. Bob is a forward thinker who keeps up with the changing landscape of technical innovation and the law surrounding the Internet of Things, blockchain, smart contracts and data privacy.

Photo of Malia Rogers Malia Rogers

Clients of all sizes – from innovative startups to Fortune 500 corporations – value Malia’s counsel on a broad range of privacy and cybersecurity issues, including incident response in times of emergency. She advises clients on privacy compliance planning, which encompasses cybersecurity measures…

Clients of all sizes – from innovative startups to Fortune 500 corporations – value Malia’s counsel on a broad range of privacy and cybersecurity issues, including incident response in times of emergency. She advises clients on privacy compliance planning, which encompasses cybersecurity measures as well as drafting breach response and action plans.