

Thursday, January 30, 2020

DOWNLOADS  PODCASTS VIDEOS SUBSCRIBE

HOME  ABOUT  ARTICLES  INDUSTRY NEWS JOBS EVENTS 


DOWNLOADS  PODCASTS VIDEOS SUBSCRIBE

Home  Data Privacy

Suffering from CCPA

Compliance Nightmares?
10 Steps to Taming the Beast that Keeps General Counsel up at Night

by STACEY GARRETT — January 28, 2020 in Data Privacy, Featured


HOME  ABOUT  ARTICLES  INDUSTRY NEWS JOBS EVENTS 

 
DOWNLOADS  PODCASTS VIDEOS SUBSCRIBE

If the prospect of complying with the California Consumer Privacy

Act is keeping you up at night, start by taking these manageable
steps, outlined by Stacey Garrett, to keep your organization in
compliance.

You know it’s out there. Lurking. It’s that privacy thing.

More specifically, it’s the California Consumer Privacy Act, a first-in-the-United-States

privacy law that gives California residents the right to know, access and delete personal
information that businesses collect about them, and the right to opt out of having their
personal information sold. (For an overview of the CCPA, the new rights it confers on
consumers and the obligations it imposes on businesses, see “Countdown to California’s
New Privacy Act” (September 2019).

But where to begin? There isn’t much guidance on the CCPA. Maybe Congress will enact
a federal privacy law and it all will go away in the morning?

Not likely. (Or at least not any time soon.) The CCPA is here to stay.

The CCPA Goes “Where No One Has Gone

Before”
If you’re feeling like you are in uncharted territory, you’re not alone. The CCPA imposes
obligations on businesses that are so new, California Attorney General has invoked Star
Trek to describe them, saying that California’s new privacy law is going “where no one has
gone before.” He’s not kidding. The CCPA borrows some concepts from existing United
States privacy law and the European Union’s General Data Protection Regulation
(GDPR), which went into effect in May 2018, and mixes things up with its own secret
sauce. 
HOME  ABOUT  ARTICLES  INDUSTRY NEWS JOBS EVENTS 

 
The CCPA took effect on January 1, 2020,
DOWNLOADS  PODCASTS VIDEOS SUBSCRIBE
and although the California Attorney General
will not begin enforcement actions before
July 1, 2020, regulatory action and fines of
$2,500 to $7,500 can be based on conduct
that took place as early as January 2020.
Attorney General Becerra has said that his
office is focused on an enforcement strategy
to ensure that the CCPA has teeth and that if
companies are not operating properly, his
office “will descend on them and make an
example of them, to show that if you don’t do
it the right way, this is what is going to
happen to you.”[1]

On the other hand, Attorney General Becerra

also has said that his office will “look kindly
on those that … demonstrate an effort to
comply.”[2]

If the CCPA is keeping you up at night, the

best thing you can do is get started now.
Document your efforts so that you can
demonstrate your business’s good-faith
efforts to comply, and develop a plan for your
business’s compliance with the CCPA,
starting with these steps.

10 Actions to Move
Toward CCPA
Compliance
1. Publish the Notices Required by the CCPA.
The CCPA requires businesses to publish “notices” informing consumers about the 
personal
HOME  information
ABOUT  theARTICLES
businessescollect about them.
INDUSTRY NEWSBusinesses
JOBSmustEVENTS
provide these


 
notices at or before the time the information is collected, and if businesses collect
DOWNLOADS  PODCASTS VIDEOS SUBSCRIBE
personal information offline (such as through security cameras), businesses must provide
consumers with notice via a paper handout or prominent sign directing them to the web
address where the notice can be found. Businesses also must explain any financial
incentives that they offer in exchange for the retention or sale of consumers’ personal
information, and they must explain that consumers can withdraw from the financial
incentive at any time. Finally, businesses must inform consumers of their right to opt out of
the sale of personal information and how to exercise that right. These requirements are
explained in detail in the Attorney General’s draft regulations implementing the CCPA.

2. Publish a California Privacy Policy that complies with

the CCPA.
The CCPA requires a long list of disclosures in a CCPA-compliant privacy policy. The
privacy policy must describe the categories of information that the business has collected
about consumers in the last 12 months, the source of that information (by category) and
whether the business has shared or sold the information with anyone. The privacy policy
also must explain the consumers’ rights and provide instructions regarding how
consumers can exercise those rights. The laundry list of required disclosures is contained
in the Attorney General’s draft regulations.

And while you’re at it, now also would be a good time to make sure that the privacy policy
meets the requirements of two more California privacy laws: the California Online Privacy
Protection Act[3] and California’s “Shine the Light” Law.[4]

3. Develop intake methods for consumer requests to

know, delete and opt out.
The CCPA requires that businesses provide at least two ways in which consumers can
submit requests to know, delete and opt out of the sale of their personal information. The
most common submission methods are via a toll-free telephone number and an interactive
web form (if the company operates a website). The toll-free telephone number and web
form do not need to be dedicated solely for the purpose of receiving consumer privacy
requests. If the business already has and uses a toll-free number for customer service and
a web form for customers to contact the business, those existing systems can be used to
receive consumer privacy requests. Businesses that sell personal information must also

maketwo methods
HOME ABOUT available for consumers
ARTICLES  to opt out.
INDUSTRY One method
NEWS JOBSmust be a web form
EVENTS

 
accessible via a clear and conspicuous link titled “Do Not Sell My Personal Information” or
DOWNLOADS  PODCASTS VIDEOS SUBSCRIBE
“Do Not Sell My Info.” The link must be published on the business’s website or mobile
application.

4. Develop procedures to verify consumer identities.

The CCPA requires that businesses establish, document and comply with a reasonable
method for verifying that the person submitting a request to know or delete is the
consumer about whom the business has collected information. Whenever feasible, the
business should match identifying information provided by the consumer with personal
information of the consumer already maintained by the business or use a third-party
verification service. Verification also can take place within a password-protected account.
Businesses have some flexibility here.

5. Establish a protocol for on time responses

to consumer requests to know, delete and opt
out.
The CCPA imposes a number of deadlines: Businesses must confirm receipt of consumer
requests to know and delete within 10 days and must respond within 45 days; and
businesses must act on consumer requests to opt out within 15 days. Consider
automating these processes or, at a minimum, preparing standardized response letters to
address repeat situations.

6. Train employees who handle privacy inquiries.

Employees who handle consumer inquiries about the business’s privacy practices must be
trained in the requirements of the CCPA and how to direct consumers to exercise their
CCPA rights. Training usually can be accomplished in two hours, with follow-up on an as-
needed basis. Make sure to keep a record of the training as evidence of the business’s
good-faith efforts to comply with the CCPA.

7. Document your procedures, and implement a records

retention practice.

HOME  ABOUT  ARTICLES  INDUSTRY NEWS JOBS EVENTS 

 
Keep a record of your procedures for handling consumer requests and responses, both for
DOWNLOADS  PODCASTS VIDEOS SUBSCRIBE
internal reference purposes and to demonstrate the business’s good-faith efforts to comply
with the CCPA. Also, businesses must retain records of consumer requests and how the
business responded to the requests for a period of at least 24 months. The records can be
kept in a “log” format as long as all the required information is retained. The CCPA offers
some flexibility here, so adopt the approach that is most efficient for your business.

8. Review and amend your vendor contracts where

needed.
All vendor contracts should be in writing. At a minimum, they should contain:

instructions for processing the data,

a clause prohibiting the vendor from retaining using or disclosing personal information
for any purpose other than performing the services specified in the contract or the
CCPA and

a requirement that the vendor implement and maintain reasonable security

measures.

Where possible and accurate, the vendor contracts should document that the vendor is a
“service provider” or a “third party” as defined by the CCPA, so the business’s disclosure
of information to the service provider is not a “sale” of the information.

9. Meet the digital and technical requirements of the

CCPA.
The CCPA not only tells businesses what to do, it tells them how to do it. Businesses that
sell personal information must publish a link to a web form that is clearly and
conspicuously titled “Do Not Sell My Personal Information” or “Do Not Sell My Info.” The
link must be published on the business’s website or mobile application. In addition, the
privacy policy and the required notices on a business’s website must be available in the
languages in which the business ordinarily provides contracts, disclaimers and sale
announcements to consumers.

The privacy policy also must be available in an additional format that allows consumers to
print it out as a separate document, and it must be accessible to consumers with
disabilities. In fact, now is a good time for businesses to make sure that their entire

HOME  ABOUT  ARTICLES  INDUSTRY NEWS JOBS EVENTS 

 
website is accessible to people with disabilities. Several United States Courts of Appeal
DOWNLOADS  PODCASTS VIDEOS SUBSCRIBE
have held that websites that have a connection to a physical place of accommodation
must comply with the Americans with Disabilities Act. Most recently, the Ninth Circuit
reached this conclusion in Robles v. Domino’s Pizza, LLC, 913 F.3d 898, 905 (9th Cir.
2019). In California, the violations of the ADA also are violations of the California Unruh
Civil Rights Act, which allows plaintiffs to recover damages of up to three times actual
damages but no less than $4,000 per violation, along with attorneys’ fees. There currently
is no legal prescription for web accessibility, but the Web Content Accessibility Guidelines
(WCAG) 2.0 level AA are frequently referenced by courts as being the appropriate
standard.

10. Secure your data.

Businesses that maintain personal information about California residents are required to
implement and maintain reasonable security procedures and practices to protect the
information from unauthorized access, use, modification or disclosure. This is a critical
requirement for businesses that maintain “sensitive” personal information (such as social
security numbers, driver’s license numbers, account numbers, credit or debit cards,
passwords, medical information and health information), because a breach of
nonencrypted and nonredacted sensitive personal information that is the result of the
business’s failure to maintain reasonable security measures can be the basis for civil
actions seeking statutory damages of $100 to $750 per consumer per incident or actual
damages, whichever is greater. These damages can add up very fast.

The CCPA doesn’t have to be a nightmare. Tackling these CCPA action items will go a
long way toward putting your business on the path to compliance and a peaceful night’s
sleep.

[1] “California AG says privacy law enforcement to be guided by willingness to comply,” by

Nandita Bose, Technology News (Reuters) (12/10/2019).

[2] Id.

[3] Cal. Bus. & Prof. Code §22575(b).


HOME  Civ.ABOUT
[4] Cal. ARTICLES 
Code §1798.83.
 INDUSTRY NEWS JOBS EVENTS 

 
DOWNLOADS  PODCASTS VIDEOS SUBSCRIBE

Tags: ADA CCPA/California Consumer Privacy Act

Previous Post Next Post

The 2020 Landscape: What Boards The Importance of Sponsorship for

Should Expect the Compliance Professional

Stacey Garrett

Stacey Garrett is a shareholder of Keesal, Young & Logan and is located in

Long Beach, California. Stacey is certified by the International Association of
Privacy Professionals (IAPP) in the areas of United States and European
Union privacy law and also holds certifications in privacy management and
technology. Stacey graduated magna cum laude from the University of
California, Hastings College of Law and is a member of the Order of the Coif.
Stacey is admitted to practice law in California, Nevada and before the
Supreme Court of the United States. You can connect with Stacey on LinkedIn.

Related Posts

The Risks and Realities of Overboarding

 January 30, 2020

What I Wish I’d Known Before Joining Compliance

 January 30, 2020

Using External Resources to Bolster Compliance Programs

 January 29, 2020 
HOME  ABOUT  ARTICLES  INDUSTRY NEWS JOBS EVENTS 

 
DOWNLOADS  PODCASTS VIDEOS SUBSCRIBE
The Importance of Sponsorship for the Compliance Professional
 January 29, 2020


HOME  ABOUT  ARTICLES  INDUSTRY NEWS JOBS EVENTS 

 
DOWNLOADS  PODCASTS VIDEOS SUBSCRIBE


HOME  ABOUT  ARTICLES  INDUSTRY NEWS JOBS EVENTS 

 
DOWNLOADS  PODCASTS VIDEOS SUBSCRIBE


HOME  ABOUT  ARTICLES  INDUSTRY NEWS JOBS EVENTS 

 
DOWNLOADS  PODCASTS VIDEOS SUBSCRIBE


HOME  ABOUT  ARTICLES  INDUSTRY NEWS JOBS EVENTS 

 
DOWNLOADS  PODCASTS VIDEOS SUBSCRIBE


HOME  ABOUT  ARTICLES  INDUSTRY NEWS JOBS EVENTS 

 
DOWNLOADS  PODCASTS VIDEOS SUBSCRIBE


HOME  ABOUT  ARTICLES  INDUSTRY NEWS JOBS EVENTS 

 
DOWNLOADS  PODCASTS VIDEOS SUBSCRIBE

Search... 

Privacy Policy

Follow Us

Category

Audit Featured Resource Library

Compliance Financial Services Risk
Compliance Podcasts Fraud Uncategorized
Cybersecurity Governance Videos
Data Privacy HR Compliance Webinars
EBooks Leadership And Career Whitepapers
Ethics News
FCPA Opinion

© 2019 Corporate Compliance Insights