Close
Login to MyACC
ACC Members


Not a Member?

The Association of Corporate Counsel (ACC) is the world's largest organization serving the professional and business interests of attorneys who practice in the legal departments of corporations, associations, nonprofits and other private-sector organizations around the globe.

Join ACC

On June 28, 2018 the California Legislature passed the California Consumer Privacy Act (“CCPA” or the “Act”). This sweeping legislation creates significant new requirements for identifying, managing, securing, tracking, producing and deleting consumer privacy information. This Quick Overview presents tips to calibrate an organization’s efforts to comply with the Act.

Given the multiple facets that come into play to set and implement the correct maturity level, this short resource provides a broad overview. For further developments and practical tips regarding the various facets, check out the ACC Guide on Operationalizing the California Consumer Privacy Act (2019).

1. Targeting the Right Privacy Maturity for Your Organization

Different levels of program maturity are required for different companies. Companies vary on the number of consumers whose privacy information they hold, the quantity and breadth of this information, how widely it is shared as well as how this information is stored and managed. Savvy privacy professionals know that targeting the right level of maturity is key. Companies should consciously target a specific maturity level and build their programs to meet that level

Companies can fail in their privacy efforts by overreaching and trying to create too sophisticated program elements, or by underestimating the needed capability. It is better to have a well-executed, albeit simpler, approach than a more complex, difficult, and expensive target that needs constant supervision and improvement as opposed to an operationalized program.

2. Privacy Policies, Notices and Procedures

The new rules under the CCPA will require organizations to either create a privacy policy or update their existing policy. Likewise, they will need to update and add notices, as well as create new processes and procedures. 

Comply

 

3. Privacy Organization and Awareness

A privacy project is a living program with ongoing responsibilities throughout the organization. Even when organizing the implementation project, there are questions of ownership, including identifying and engaging stakeholders, organizing a steering committee and building executive-level support. Likewise, training is critical for building organizational awareness.

Table display of increasing levels of Privacy Organization and Awareness Maturity and their descriptions

Execution of a privacy program requires efforts from many different groups and building a cross-functional approach early in the process is important.

4. Information Security and Breach Response

Organizations need to implement data security and privacy controls. The exact protection measures will depend on the type, medium and location of the personal information.

Table display of increasing levels of Information Security and Breach Response Maturity and their descriptions

Most organizations have some level of information security capabilities already in place. It is important to make sure these capabilities address and are consistently applied to privacy information.

5. Structured Data Personal Information Capability

Significant stores of privacy information live in applications which store their information in structured databases. These databases are part of customer applications. Privacy information often flows from one system to another, sometimes creating many copies of the same data. Companies need to develop capabilities for managing this structured privacy data.

Table display of increasing levels of Structured Data Personal Information Capability and their descriptions

 

6. Unstructured and Semi-Structured Data Capability

While privacy information is typically associated with information in databases, large amounts of privacy information exist in files, emails and other types of unstructured and semi-structured information.  Many privacy programs do not address this unstructured and semi-structured information, creating real non-compliance issues and risks. Under European, California and other laws, this type of information is in scope and can be particularly challenging to manage.

Table display of increasing levels of Unstructured and Semi-structured Data Capability and their descriptions

 

7. Paper Information Capability

Paper documents tend to accumulate in both onsite and offsite storage facilities, some of which contain privacy information. The new and emerging privacy laws do not exclude paper, and as such identifying and producing this paper-based information can be particularly burdensome. Hence programs must have the capability of addressing paper.

Table display of increasing levels of Paper Information Capability and their descriptions

 

8. Third-party Data Capability

Companies must have the capability to address the privacy information they collect that is either sold or shared with third parties, or likewise they receive themselves. This includes developing the appropriate service level agreements (SLAs) as well as ensuring that these third parties have the capability of complying with the privacy requirements. Many companies are surprised to find out the extent this information is shared.

Table display of increasing levels of Third Party Data Capability and their descriptions

Well-designed third-party capabilities set clear expectations over who is responsible for what. This is always easier to address proactively.

9. Consumer Access Request Procedures, Monitoring and Enforcement

CCPA and other proposed laws require a series of processes to support consumer access, production and deletion requests. These include authentication processes, search processes, production processes as well as deletion processes. Furthermore, these processes need to be tracked and monitored for compliance.

Table display of increasing levels of Consumer Access request Procedures, Monitoring and Enforcement and their descriptions

 

10. Privacy Program Integration with Other Compliance Programs and Processes

One of the problems that has emerged from current privacy requirements is the need for these programs to coordinate with other compliance regimes, including records management and eDiscovery and legal holds. CCPA, for example, suspends deletion requests for personal information under legal hold. But these two groups of processes need to be coordinated.

Table display of increasing levels of Privacy Program Integration with Other Compliance Programs and Processes Maturity and their descriptions

 

11. Audit Enforcement and Maintenance

Finally, privacy laws and the resultant programs are hardly stagnant. New laws are being enacted and current legislation is subject to amendments as well as implementation guidelines. To this end, programs should be thought of as an ongoing effort, with audit, enforcement and maintenance processes built within them.

Table display of increasing levels of Audit, Enforcement and Maintenance Maturity and their descriptions

 

Conclusion

Companies sometimes seek the perfect privacy policy, processes and programs. Courts and regulators recognize that privacy programs are inherently imperfect.  It is better for companies to develop a good program – at the appropriate maturity level – and improve this over time. Don’t let perfect be the enemy of good.

Additional Resources

ACC Guides

Maturity Models

Other Articles

Region: United States
The information in any resource collected in this virtual library should not be construed as legal advice or legal opinion on specific facts and should not be considered representative of the views of its authors, its sponsors, and/or ACC. These resources are not intended as a definitive statement on the subject addressed. Rather, they are intended to serve as a tool providing practical advice and references for the busy in-house practitioner and other readers.
ACC