The California Consumer Privacy Act (CCPA) goes into effect on January 1, 2020. That’s just 40 days from the date we published this blog. Yet we continue to see a considerable number of organizations that are likely to be impacted by this new legislation failing to put together personal data privacy protection programs. That could be a costly mistake.
In a recent webinar we held on this topic, a full 100 percent of attendees said they are putting only “moderate” effort into CCPA planning. Forty-two percent of that same audience said they are covering CCPA planning solely using internal resources, versus hiring outside counsel or consultants. Nearly 60 percent of the audience said they are “definitely not” selling personal data – a key factor in the CCPA regulations. That’s consistent with what we hear from clients, yet we often find those same clients failed to understand an important piece of the CCPA “fine print,” which says that if an organization is exchanging data for any benefits (not just selling data for money), that’s considered “selling” data under CCPA. All of these are important points to consider when planning for CCPA yet are often passed by in the planning process.
CCPA, while broader than the European Union’s General Data Protection Regulation (GDPR), is complex and – as with any governmental requirements — the devil is in the detail. Amendments discussed in the webinar have either been resolved or tabled for now. And while enforcement will be delayed until mid-2020, that January 1 effective date remains critical. If your organization is among those who are on the back side of planning for CCPA, here are several important tips.
First, spend time reviewing this privacy operating model, which we use with all new clients.
Note that governance is at the top. When organizations consider broad policy design, and how that design aligns with its risk profile and risk appetite, how the personal data collected, processed and stored is of critical importance. At the bottom of this framework is the technical infrastructure, which plays such a big role in understanding and developing a data inventory. In between, we would cover the building blocks of any privacy program, including the process purpose, how to contract with service providers or third parties, how to honor consumer requests, incorporating security and privacy by design and more.
At any given layer, different stakeholders, ranging from outside counsel to internal stakeholders, should each own a particular process. Perhaps legal owns contractual relationships, while the chief information security officer (CISO) owns risk assessments and determine what levels of security requirements are needed.
Communication, education and training at both the audit committee level and executive committee level, as well as with individuals across the organization also needs to be addressed. Many clients are amazed at the extent of what personal data means to the organization and how each person who handles data within the organization, or who talks directly with consumers, also has a role in data protection. Getting level set on what personal data means in content to this statute, is a real need. One of the areas we like to start with is data identification. Organizations just starting to put a data privacy program in place need to understand the data they have, how that data is used and why that data is used. That exercise will help inform the data privacy notices, policies and procedures that need to be developed. Above all, do not get into a situation where data practices are not accurate.
Once processes are established, there will be ongoing compliance needs to consider. This chart provides a high-level review of the types of questions an organization must continue to ask as it develops and refines its program.
Clearly, CCPA is not something that’s going away. We fully anticipate we will continue to see states and countries implement new privacy requirements. Which is why getting control of data is perhaps the most important factor to get clarity on now. That includes data mapping, processing and data flow.
Without understanding inventory, flow of data, it is difficult to understand where data exists. We cannot emphasize enough, understanding data is a critical first step.
Finally, establish a steering committee or some sort of dialog across the organization so that everyone understands the policies are not aspirational, they are practical. These policies must reflect the way the organization will operate going forward. This could likely involve a cultural change, which our colleagues discuss in another webinar in this series, Establishing an Organizational Privacy Function. (link to that blog, still in review).
To listen to this webinar on-demand, or any of the other webinars in our privacy series, click here.