Complying with the California Consumer Privacy Act in 5 (more or less) Not So Easy Steps
Part 1 of a Series
First Steps First – the Data Map
It is estimated that more than 500,000 companies are subject to the California Consumer Privacy Act (CCPA), many of them smaller and mid-size business, where the detailed requirements of the Act – disclosure and notice procedures, opt-out rights, updating privacy policies, and revising vendor agreements – is daunting. So where should a business begin in its efforts to meet the Act’s requirements?
What is the CCPA?
The California Consumer Privacy Act was signed into law on June 28, 2018, and will become effective January 1, 2020 – although the Attorney General is precluded from bringing an enforcement action under the CCPA until the earlier of six months after the final regulations are published, or July 1, 2020. The effective date of the Act gives covered businesses little time to prepare. Preparing now is particularly important, because many obligations under the Act will require advance work, and companies will need to begin now.
What businesses must comply with the Act?
As has been well publicized, the Act is applicable to many businesses, whether located inside or outside California. The Act applies to for-profit entities that both collect and process the personal information (as defined in the Act) of California residents and do business in the State of California – a physical presence in California is not a requirement to becoming subject to the Act. Additionally, the business must meet at least one of the following criteria:
- Generate annual gross revenue in excess of $25 million,
- Receive or share personal information of more than 50,000 California residents annually, or
- Derive at least 50 percent of its annual revenue by selling the personal information of California residents.
What to do first – Data mapping
The first, and possibly most important, thing a company should do to comply with the Act is to understand what data the company collects, how it uses the data and who has access to it. Understanding how the company collects, processes, transmits and stores data – as well as how it’s used and who uses it – is the foundation of a data privacy program and the key to complying with the Act and most other privacy regulations. A company’s data is often its most valuable asset, but the exact movements of sensitive data are often poorly understood, providing unknown exposure points and increasing the risk of data loss.
To bring this into focus, a well-run company is aware of the location and use of every physical asset in the business, who has access to the asset, its value to the company, its replacement cost, and a variety of other information. But few companies take the same effort with customer, employee and business data, which may have a value far greater than its physical assets.
For this reason, companies should implement data mapping projects. Data mapping allows a company to:
- Understand the information life cycle of personal and sensitive information for key processes throughout the business.
- Evaluate the strength and effectiveness of data controls and safeguards.
- Create an inventory that includes data element types, collection mechanisms, transfers, privacy and security practices and transfers to third parties.
- Establish policies and procedures to focus control enhancements on areas of highest privacy and security risks.
It is only by establishing this baseline that a company can begin to comply with the Act – a company cannot honor a customer’s request to delete his or her personal information if the company doesn’t know what information it has, and where it is held.
Companies need to consider this step now, because the task is challenging. Companies may be well aware of information that is specifically requested from customers, but the definition of personal information is very broad, and “collection,” under the Act, includes both active and passive acquisition of information.
Many companies have not established protocols for access to information, and allow information to be accessed by employees and vendors – that data must also be accounted for in order to comply with the Act.
Company data – an asset and a liability
There is a benefit to this practice that goes beyond complying with the Act. Companies can realize the extent of their data collection practices and whether it advances the business; companies must realize that every point of data it holds is not just an asset, but also a liability and eliminating unnecessary data reduces liability exposure. Understanding a company’s data profile leads to efficiencies in operations and can better rationalize costs associated with maintaining data, including cybersecurity and insurance expenses.
Future articles will describe other actions necessary to comply with the Act, but if the question is where to start, the answer is clear – inventory your data.
Robert E. Braun is the co-chair of the Cybersecurity and Privacy Law Group at Jeffer Mangels Butler & Mitchell LLP. Bob helps clients to develop and implement privacy and information security policies, negotiate agreements for technologies and data management services, and comply with legal and regulatory requirements. He helps clients to develop and implement data breach response plans, and he and his team respond quickly to clients’ needs when a data breach occurs. Contact Bob at RBraun@jmbm.com or +1 310.785.5331.
JMBM’s Cybersecurity and Privacy Group counsels clients in a wide variety of industries, including accounting firms, law firms, business management firms and family offices, in matters ranging from development of cybersecurity strategies, creation of data security and privacy policies, responding to data breaches and regulatory inquiries and investigations, and crisis management. The Cybersecurity and Privacy Group uses a focused intake methodology that permits clients to get a reliable sense of their cybersecurity readiness and to determine optimal, client-specific approaches to cybersecurity.