On June 28, 2018 the California Legislature passed the California Consumer Privacy Act (“CCPA” or the “Act”). This sweeping legislation creates significant new requirements for identifying, managing, securing, tracking, producing and deleting consumer privacy information. This Quick Overview presents tips to calibrate an organization’s efforts to comply with the Act.
Given the multiple facets that come into play to set and implement the correct maturity level, this short resource provides a broad overview. For further developments and practical tips regarding the various facets, check out the ACC Guide on Operationalizing the California Consumer Privacy Act (2019).
1. Targeting the Right Privacy Maturity for Your Organization
Different levels of program maturity are required for different companies. Companies vary on the number of consumers whose privacy information they hold, the quantity and breadth of this information, how widely it is shared as well as how this information is stored and managed. Savvy privacy professionals know that targeting the right level of maturity is key. Companies should consciously target a specific maturity level and build their programs to meet that level
Companies can fail in their privacy efforts by overreaching and trying to create too sophisticated program elements, or by underestimating the needed capability. It is better to have a well-executed, albeit simpler, approach than a more complex, difficult, and expensive target that needs constant supervision and improvement as opposed to an operationalized program.
2. Privacy Policies, Notices and Procedures
3. Privacy Organization and Awareness
A privacy project is a living program with ongoing responsibilities throughout the organization. Even when organizing the implementation project, there are questions of ownership, including identifying and engaging stakeholders, organizing a steering committee and building executive-level support. Likewise, training is critical for building organizational awareness.
Execution of a privacy program requires efforts from many different groups and building a cross-functional approach early in the process is important.
4. Information Security and Breach Response
Organizations need to implement data security and privacy controls. The exact protection measures will depend on the type, medium and location of the personal information.
Most organizations have some level of information security capabilities already in place. It is important to make sure these capabilities address and are consistently applied to privacy information.
5. Structured Data Personal Information Capability
Significant stores of privacy information live in applications which store their information in structured databases. These databases are part of customer applications. Privacy information often flows from one system to another, sometimes creating many copies of the same data. Companies need to develop capabilities for managing this structured privacy data.
6. Unstructured and Semi-Structured Data Capability
While privacy information is typically associated with information in databases, large amounts of privacy information exist in files, emails and other types of unstructured and semi-structured information. Many privacy programs do not address this unstructured and semi-structured information, creating real non-compliance issues and risks. Under European, California and other laws, this type of information is in scope and can be particularly challenging to manage.
7. Paper Information Capability
Paper documents tend to accumulate in both onsite and offsite storage facilities, some of which contain privacy information. The new and emerging privacy laws do not exclude paper, and as such identifying and producing this paper-based information can be particularly burdensome. Hence programs must have the capability of addressing paper.
8. Third-party Data Capability
Companies must have the capability to address the privacy information they collect that is either sold or shared with third parties, or likewise they receive themselves. This includes developing the appropriate service level agreements (SLAs) as well as ensuring that these third parties have the capability of complying with the privacy requirements. Many companies are surprised to find out the extent this information is shared.
Well-designed third-party capabilities set clear expectations over who is responsible for what. This is always easier to address proactively.
9. Consumer Access Request Procedures, Monitoring and Enforcement
CCPA and other proposed laws require a series of processes to support consumer access, production and deletion requests. These include authentication processes, search processes, production processes as well as deletion processes. Furthermore, these processes need to be tracked and monitored for compliance.
10. Privacy Program Integration with Other Compliance Programs and Processes
One of the problems that has emerged from current privacy requirements is the need for these programs to coordinate with other compliance regimes, including records management and eDiscovery and legal holds. CCPA, for example, suspends deletion requests for personal information under legal hold. But these two groups of processes need to be coordinated.
11. Audit Enforcement and Maintenance
Finally, privacy laws and the resultant programs are hardly stagnant. New laws are being enacted and current legislation is subject to amendments as well as implementation guidelines. To this end, programs should be thought of as an ongoing effort, with audit, enforcement and maintenance processes built within them.
- Operationalizing the California Consumer Privacy Act (2019)
- Creating a Modern, Compliant and Easier-to-Execute Records Retention Schedule (2018)
- Executing Your Records Management Program (2018)
- California Consumer Privacy Act (CCPA)-Similarities and Differences to European GDPR at a Glance (2018)