The following checklist provides a high-level overview of key actions to be taken by businesses subject to the California Consumer Privacy Act (CCPA). This is not a comprehensive list, and we will update as new guidance is provided, including with respect to any finalization of the California AG’s proposed regulations. As a reminder, CCPA comes into effect on January 1, 2020, however it has a 12-month “look-back” requirement that allows consumers to request their data records dating back a whole year from when the request is made. This means that organizations will need to identify collected records of personal information that date back to January 1, 2019 (12 months prior to January 1, 2020).
Data Mapping
- Conduct an internal review to determine all categories of personal information collected by your organization.
- Map out how personal information is collected, used, and shared – take stock of data flows in and out of the organization.
- Know whose data is being collected – individual’s location, age, etc. – and why.
Third Party Assessments/Documentation
- Determine whether any third party vendors have access to personal information, and assess whether it is “sold” to vendors or disclosed for a business purpose per CCPA (service provider exemption). Note the CCPA’s definition of “sold” is different and broader than the plain language meaning, and this involves an analysis of how a vendor can use the data.
- Update or implement a data processing agreement (CCPA Addendum) for each vendor, which CCPA Addendum should contain specific language for vendors that qualify as service providers
- Review or implement internal policies and procedures as to the scope and purpose of such collection of personal information.
- Conduct third party audits on service providers who have access to your consumer personal information to ensure compliance with CCPA.
Policies
- Review and update online privacy notices to comply with the disclosure requirements of the CCPA – this incudes updating existing privacy notices, and implementing “just-in-time” notices that are required by CCPA.
- Prepare internal policies and procedures to ensure that your organization responds to consumer requests for access or deletion, or information related to the sale or disclosure of their personal information.
- If price or service differences are given by the organization for personal information, assessment of financial incentives and notice should be included in the privacy notice.
- Review Term of Service/Use for consistency and liability cap mechanisms.
Technological Solutions
- Implement technological solutions/features to provide enhanced notice to consumers and process consumer requests as specified in CCPA (e.g., timeline, verification).
- Implement opt-in for financial incentives and adjust opt-ins for minors, where required.
- Implement “Do Not Sell My Information” link for consumer right to opt-out of the sale of their personal information, after determining whether any sales occur.
Mandatory Training
- Prepare training materials to train all individuals within the organization with respect to CCPA, particularly personnel who will be responsible for handling consumer personal information inquiries – training is mandatory under CCPA.
Security
- Review your organization’s security. This is the one area that grants individuals a private right of action under CCPA and is potentially the most costly for companies that do not have appropriate security and suffer a data breach.
- Implement CIS Controls and ensure that internal policies (incident response plan etc.) are in place – at the very least. The level of security must be commensurate with the nature of the personal information and processing activities performed by your organization.
For more information, please contact Celine Guillou or Chiara Portner.