Complying with the California Consumer Privacy Act in 5 (more or less) Not So Easy Steps:
This is the third in a series of articles on complying with the California Consumer Privacy Act (CCPA). The CCPA is estimated to directly impact more than 500,000 businesses, many of them smaller and mid-size businesses; even more companies that are not specifically subject to the CCPA will need to comply to do business with those that are.
The CCPA says that California residents, including minors, have the right to know if their personal data is being collected, and to whom the data is being sold, and with whom it is being shared. Armed with that knowledge, California residents have the further right to object to the sale of their data and to have their data deleted. In short, California consumers now own their personal information and have real control over it. It is important to note that personal data includes almost any data that can identify an individual, not just financial data.
Complying with the detailed requirements of the CCPA — including disclosure and notice procedures, opt-out rights, updating privacy policies, and revising vendor agreements — is daunting. In our first article, we highlighted the importance of the data map. In our second article, we covered breach response.
In this post, we’ll review the changes companies need to be making to their privacy policies in order to comply with the CCPA. The Act mandates that any company subject to the CCPA make specific public disclosures, including:
- The categories of personal information collected about the consumer;
- The sources from which that information is collected;
- The commercial or business purpose for which the personal information is collected;
- The categories of third parties the information will be shared with; and
- Specific pieces of personal information collected about the consumer.
In addition, companies must provide consumers with a description of their rights under the CCPA as described above. The CCPA specifically prohibits businesses from collecting additional categories of personal information and then using those new categories for other purposes, unless the collection or use is disclosed on the company’s privacy statement.
Many companies have had a “write it and file it” approach to privacy policies. That approach was never effective, and is now contrary to California law. The CCPA requires companies to review and update their policies annually, something privacy-conscious companies have been doing all along.
We’ve been working with companies to update their policies in advance of the Jan. 1, 2020, effective date, and have developed some tips that make for stronger policies and more efficient workflow.
- Presentation is Important
- User-Friendly Policies, Please
- Consider a Q&A format or FAQs
More than ever, consumers are comfortable navigating online information via Q&As and FAQs (frequently asked questions). Think about how consumers search for data online generally. It’s often in the form of a question, such as “where is my personal data stored?” Understand that users will have questions about not just “data,” but biometric information, geolocation data, photos, voice messages, phone conversations recorded for quality control purposes, etc.
- Run Your Table-Top Exercises with Real Users
Test your policy with users who are not part of your legal, compliance, IT and marketing teams. Is it understandable and easily navigable? Is the opt-out easy to find and use? What is your online form for letting consumers know what information has been collected about them? Is that report comprehensible? Consider whether you will need a consumer information ombudsperson to handle complaints or issues when they arise. Make sure you are ready, internally and externally, for when this goes live.
- Test Your Vertical
This can be an expensive process. Smaller companies will undoubtedly struggle with compliance. Even though lawmakers are still tinkering around the edges of the legislation, it’s important to get started now, both on the actual work, and fostering a consumer-centric, rather than company-centered, approach to privacy.
Robert E. Braun is the co-chair of the Cybersecurity and Privacy Law Group at Jeffer Mangels Butler & Mitchell LLP. Bob helps clients to develop and implement privacy and information security policies, negotiate agreements for technologies and data management services, and comply with legal and regulatory requirements. He helps clients to develop and implement data breach response plans, and he and his team respond quickly to clients’ needs when a data breach occurs. Contact Bob at RBraun@jmbm.com or +1 310.785.5331.
JMBM’s Cybersecurity and Privacy Group counsels clients in a wide variety of industries, including accounting firms, law firms, business management firms and family offices, in matters ranging from development of cybersecurity strategies, creation of data security and privacy policies, responding to data breaches and regulatory inquiries and investigations, and crisis management. The Cybersecurity and Privacy Group uses a focused intake methodology that permits clients to get a reliable sense of their cybersecurity readiness and to determine optimal, client-specific approaches to cybersecurity.