How to Prepare for CCPA Compliance Given the Uncertain Amendments and Regulations
One of the challenges for businesses preparing for the California Consumer Privacy Act (CCPA) is that it is still a moving target. With only nine months to go before the effective date, there is still the possibility of substantive legislative changes and the Attorney General is not scheduled to issue the first draft of regulations until only a few months before businesses must have their implementation of the law in place.
The potential uncertainty around the CCPA will be on display tomorrow. There will be public hearings in California tomorrow on a dozen bills that propose changes to the California Consumer Privacy Act. Ten of the CCPA amendments will be heard in the Assembly’s Privacy and Consumer Protection Committee. Two will be heard by committees of the California Senate. For those interested in learning more, we have previously provided highlights of the bills under consideration here on the Clarip Privacy Blog. The hearings will also be available online live tomorrow (and subsequently available on the legislature’s website in the video archives for the committees).
Privacy and compliance professionals will be following the hearings closely in the hopes that a few areas of uncertainty around the future of the law will diminish. However, an amendment or group of amendments that finds support at this stage may only add to the uncertainty as there will still be a long road before adoption. The Washington Privacy Act is evidence that nothing is certain until it is passed. Although the Washington Privacy Act found substantial support in the Washington state Senate and was passed by a vote of 46-1, it ultimately was unable to gain support in the House in time amidst the different interest groups. Even if there is initially support for changes to the CCPA, any amendments will need to navigate a wide range of interest groups and can not truly be counted on by covered businesses until they are signed by the California Governor.
The effective date for the CCPA is currently January 1, 2020 and most of the proposed bills do not move back the effective date. The consequences of any changes will mean that businesses only have six months or so to modify their compliance preparations accordingly before they must have their implementation of the law in place. Even with a potential six month grace period before enforcement by the Attorney General, there will not be a lot of time if there are major changes to the new privacy law and businesses must already be working on their compliance preparations.
AB 1760 may be the only bill that proposes a delay in the effective date – it moves it back a year to January 1, 2021. However, it also proposes the most changes to the CCPA. At one time, it even proposed changing the name to the Privacy for All Act of 2019. Some of those changes, including the name change and a sweeping private right of action, have already been removed in recent amendments before tomorrow’s public hearing.
Another delay in the timetable of the CCPA is not something that businesses can rely on to procrastinate. Polling has found substantial support among the public for privacy regulations so there would need to be an important reason for the legislature to delay it. The federal government also seems unlikely to step in as there does not appear to be sufficient support in Congress at the present moment for federal preemption of the California law.
The tight timeline between any amendments from the legislature to the effective date of the CCPA is complicated by the fact that the Attorney General is unlikely to finalize the regulations until November or December. As a result, businesses will need to have as much as they can in place and then quickly make modifications to their plan as necessary to comply with the announced regulations.
How can businesses prepare for the CCPA amidst this uncertainty?
Fortunately, there are a number of activities that covered business can undertake in order to prepare for the law that are unlikely to become a misguided effort.
1. Data Mapping
All covered businesses should complete data mapping in order to have an enhanced understanding of their data collection, usage and third-party data sharing. Without this step, it would be difficult to make the required privacy disclosures, provide the information required by the right to access, and know where to look for the data following a consumer’s deletion request. Companies that prepared for GDPR by conducting limited data mapping need to extend it to their California operations. Organizations do not need to delay this aspect of their preparations as the information gleaned about their data will be valuable for privacy compliance even if minor changes in the law or regulations are made.
2. DSAR Portal
Organizations need to have a method to communicate with consumers and receive requests under the California Consumer Privacy Act. Although some aspects of the implementation may change along the way, a privacy software vendor like Clarip can be engaged now to ensure that a company is ready for the requests. There are a number of improvements and efficiencies offered by data subject access request software over alternatives like email.
3. Consent Management
The right to opt-out of the sale of personal information is a fundamental aspect of the CCPA. Organizations will need to have a solution in place to handle their opt-out requests. They will also need to make sure that they are not collecting children’s data and selling it without gathering opt-in consent. Implementation of consent management software is an important component of meeting this requirement. If the consent management requirement is ultimately strengthened to require opt-in consent for everyone, a company that has selected a vendor already will be in a better position to make these changes.
4. Vendor Management
Companies need to identify the third-parties with whom they share data and ensure that they have appropriate contracts in place with them under the CCPA. The vendor management process and contract reviews are something that can begin now due to the length of time that it could take to undertake this process. As the scope of the potential CCPA amendments is clarified, organizations can begin drafting an addendum or approaching the third-party about necessary changes to the contract.
5. Cybersecurity Requirements
This is one area where businesses do not have the leeway to delay their implementation. Since this section will be enforced by civil class actions rather than the Attorney General, there is no delay from the effective date of January 1, 2020. Organizations need to have their plans in place as soon as possible to limit the potential for statutory damages of a minimum of $100 per person following a negligent data breach. Although there is some uncertainty around what will ultimately be considered reasonable security procedures and practices, organizations should be reviewing and implementing the Center for Internet Security’s Critical Security Controls, which the California Attorney Genera’s Office has previously indicated was the minimum necessary for reasonable security practices under California’s information security statute, Section 1798.81.5(b) of the California Civil Code.
Other Relevant Posts:
Next Stop for CCPA Amendments AB-25 and AB-874 is an Assembly Floor Vote
Highlights of the CA Privacy Committee Hearing Yesterday on CCPA Amendments
CCPA Amendments to be Heard in April 23rd California Assembly Privacy Committee Hearing
Senate Judiciary Committee Recommends SB 561, the Expanded CCPA Private Right of Action
Latest on the Proposed CCPA Amendments
AB-25 Proposes CCPA Amendment to Exclude Employees from New Privacy Law
CCPA Regulation Recommendations by EFF to CA Attorney General
Highlights of CCPA Rulemaking Comments by IAB and ANA
CCPA Amendment & Consumer Privacy Bills in California legislature in Feb. 2019
California AG Supports Proposed CCPA Amendments in SB 561
CA Dems Defend CCPA Against Preemption; California Holds CCPA Hearing on Changes
California GOP Defend CCPA Against Federal Preemption
More Technical Amendments Suggested for CCPA; CA GOP Introduce Another Privacy Bill
Advertising & Marketing Groups Send AG Letter Seeking Flexibility on CCPA