Suffering from CCPA Compliance Nightmares?

You know it’s out there. Lurking. It’s that privacy thing.

More specifically, it’s the California Consumer Privacy Act, a first-in-the-United-States privacy law that gives California residents the right to know, access and delete personal information that businesses collect about them, and the right to opt out of having their personal information sold. (For an overview of the CCPA, the new rights it confers on consumers and the obligations it imposes on businesses, see “Countdown to California’s New Privacy Act” (September 2019).

But where to begin?  There isn’t much guidance on the CCPA. Maybe Congress will enact a federal privacy law and it all will go away in the morning?

Not likely. (Or at least not any time soon.) The CCPA is here to stay.

The CCPA Goes “Where No One Has Gone Before”

If you’re feeling like you are in uncharted territory, you’re not alone. The CCPA imposes obligations on businesses that are so new, California Attorney General has invoked Star Trek to describe them, saying that California’s new privacy law is going “where no one has gone before.” He’s not kidding. The CCPA borrows some concepts from existing United States privacy law and the European Union’s General Data Protection Regulation (GDPR), which went into effect in May 2018, and mixes things up with its own secret sauce.

The CCPA took effect on January 1, 2020, and although the California Attorney General will not begin enforcement actions before July 1, 2020, regulatory action and fines of $2,500 to $7,500 can be based on conduct that took place as early as January 2020. Attorney General Becerra has said that his office is focused on an enforcement strategy to ensure that the CCPA has teeth and that if companies are not operating properly, his office “will descend on them and make an example of them, to show that if you don’t do it the right way, this is what is going to happen to you.”[1]

On the other hand, Attorney General Becerra also has said that his office will “look kindly on those that … demonstrate an effort to comply.”[2]

If the CCPA is keeping you up at night, the best thing you can do is get started now. Document your efforts so that you can demonstrate your business’s good-faith efforts to comply, and develop a plan for your business’s compliance with the CCPA, starting with these steps.

10 Actions to Move Toward CCPA Compliance

1. Publish the Notices Required by the CCPA.

The CCPA requires businesses to publish “notices” informing consumers about the personal information the businesses collect about them. Businesses must provide these notices at or before the time the information is collected, and if businesses collect personal information offline (such as through security cameras), businesses must provide consumers with notice via a paper handout or prominent sign directing them to the web address where the notice can be found. Businesses also must explain any financial incentives that they offer in exchange for the retention or sale of consumers’ personal information, and they must explain that consumers can withdraw from the financial incentive at any time. Finally, businesses must inform consumers of their right to opt out of the sale of personal information and how to exercise that right. These requirements are explained in detail in the Attorney General’s draft regulations implementing the CCPA.

2.  Publish a California Privacy Policy that complies with the CCPA.

The CCPA requires a long list of disclosures in a CCPA-compliant privacy policy. The privacy policy must describe the categories of information that the business has collected about consumers in the last 12 months, the source of that information (by category) and whether the business has shared or sold the information with anyone. The privacy policy also must explain the consumers’ rights and provide instructions regarding how consumers can exercise those rights. The laundry list of required disclosures is contained in the Attorney General’s draft regulations.

And while you’re at it, now also would be a good time to make sure that the privacy policy meets the requirements of two more California privacy laws: the California Online Privacy Protection Act[3] and California’s “Shine the Light” Law.[4]

3.  Develop intake methods for consumer requests to know, delete and opt out.

The CCPA requires that businesses provide at least two ways in which consumers can submit requests to know, delete and opt out of the sale of their personal information. The most common submission methods are via a toll-free telephone number and an interactive web form (if the company operates a website). The toll-free telephone number and web form do not need to be dedicated solely for the purpose of receiving consumer privacy requests. If the business already has and uses a toll-free number for customer service and a web form for customers to contact the business, those existing systems can be used to receive consumer privacy requests. Businesses that sell personal information must also make two methods available for consumers to opt out. One method must be a web form accessible via a clear and conspicuous link titled “Do Not Sell My Personal Information” or “Do Not Sell My Info.” The link must be published on the business’s website or mobile application.

4.  Develop procedures to verify consumer identities.

The CCPA requires that businesses establish, document and comply with a reasonable method for verifying that the person submitting a request to know or delete is the consumer about whom the business has collected information. Whenever feasible, the business should match identifying information provided by the consumer with personal information of the consumer already maintained by the business or use a third-party verification service. Verification also can take place within a password-protected account. Businesses have some flexibility here.

5.  Establish a protocol for on time responses to consumer requests to know, delete and opt out.

The CCPA imposes a number of deadlines: Businesses must confirm receipt of consumer requests to know and delete within 10 days and must respond within 45 days; and businesses must act on consumer requests to opt out within 15 days. Consider automating these processes or, at a minimum, preparing standardized response letters to address repeat situations.

6.  Train employees who handle privacy inquiries.

Employees who handle consumer inquiries about the business’s privacy practices must be trained in the requirements of the CCPA and how to direct consumers to exercise their CCPA rights. Training usually can be accomplished in two hours, with follow-up on an as-needed basis. Make sure to keep a record of the training as evidence of the business’s good-faith efforts to comply with the CCPA.

7.  Document your procedures, and implement a records retention practice.

Keep a record of your procedures for handling consumer requests and responses, both for internal reference purposes and to demonstrate the business’s good-faith efforts to comply with the CCPA. Also, businesses must retain records of consumer requests and how the business responded to the requests for a period of at least 24 months. The records can be kept in a “log” format as long as all the required information is retained. The CCPA offers some flexibility here, so adopt the approach that is most efficient for your business.

8.  Review and amend your vendor contracts where needed.

All vendor contracts should be in writing. At a minimum, they should contain:

• instructions for processing the data,
• a clause prohibiting the vendor from retaining using or disclosing personal information for any purpose other than performing the services specified in the contract or the CCPA and
• a requirement that the vendor implement and maintain reasonable security measures.

Where possible and accurate, the vendor contracts should document that the vendor is a “service provider” or a “third party” as defined by the CCPA, so the business’s disclosure of information to the service provider is not a “sale” of the information.

9.  Meet the digital and technical requirements of the CCPA.

The CCPA not only tells businesses what to do, it tells them how to do it. Businesses that sell personal information must publish a link to a web form that is clearly and conspicuously titled “Do Not Sell My Personal Information” or “Do Not Sell My Info.” The link must be published on the business’s website or mobile application. In addition, the privacy policy and the required notices on a business’s website must be available in the languages in which the business ordinarily provides contracts, disclaimers and sale announcements to consumers.

The privacy policy also must be available in an additional format that allows consumers to print it out as a separate document, and it must be accessible to consumers with disabilities. In fact, now is a good time for businesses to make sure that their entire website is accessible to people with disabilities. Several United States Courts of Appeal have held that websites that have a connection to a physical place of accommodation must comply with the Americans with Disabilities Act. Most recently, the Ninth Circuit reached this conclusion in Robles v. Domino’s Pizza, LLC, 913 F.3d 898, 905 (9th Cir. 2019). In California, the violations of the ADA also are violations of the California Unruh Civil Rights Act, which allows plaintiffs to recover damages of up to three times actual damages but no less than $4,000 per violation, along with attorneys’ fees. There currently is no legal prescription for web accessibility, but the Web Content Accessibility Guidelines (WCAG) 2.0 level AA are frequently referenced by courts as being the appropriate standard.

10.  Secure your data.

Businesses that maintain personal information about California residents are required to implement and maintain reasonable security procedures and practices to protect the information from unauthorized access, use, modification or disclosure. This is a critical requirement for businesses that maintain “sensitive” personal information (such as social security numbers, driver’s license numbers, account numbers, credit or debit cards, passwords, medical information and health information), because a breach of nonencrypted and nonredacted sensitive personal information that is the result of the business’s failure to maintain reasonable security measures can be the basis for civil actions seeking statutory damages of $100 to $750 per consumer per incident or actual damages, whichever is greater. These damages can add up very fast.

The CCPA doesn’t have to be a nightmare. Tackling these CCPA action items will go a long way toward putting your business on the path to compliance and a peaceful night’s sleep.

[1] “California AG says privacy law enforcement to be guided by willingness to comply,” by Nandita Bose, Technology News (Reuters) (12/10/2019).

[2] Id.

[3] Cal. Bus. & Prof. Code §22575(b).

[4] Cal. Civ. Code §1798.83.