Training, Training, Training:
Not only does Section 999.317 of the California AG’s draft regulations mandate training for “[a]ll individuals responsible for handling consumer inquiries about the business’s privacy practices or the business’s compliance with the CCPA,” but training is also operationally crucial for those handling the verified consumer requests. One of the more difficult aspects of putting together CCPA disclosures was determining how a business would verify requests. For a typical business with a variety of contexts in which it interacts with consumers, a one-size-fits-all approach may not work in practice. This means that those handling requests need to be prepared to receive requests from consumers that may not fit neatly into the defined structure, which will require them to have a working understanding of the CCPA. Even those that have helped design the processes may discover new groups that need to be handled differently, so everyone will need enough knowledge to be agile while the processes are ironed out.
Additionally, training will be necessary for all employees on how to recognize a CCPA request. Section 999.312(f) mandates that all employees recognize a potential CCPA request by requiring that a company respond to any individual who makes a request — even if that request is deficient or not made through the proper channels. In other words, any employee in the company could potentially receive a CCPA request via email, phone or even in person that would require that employee to know how to direct the consumer to the proper request mechanism.
While assisting our clients we tried to run through every permutation of possible outcomes for responses, and there are an enormous number of possibilities. The draft regulations are chock full of details that create unique circumstances. There are requirements for different types of requests (requests for specific pieces of information, for different categories of information, and for deletion). Some requests require declarations, authorized agents require additional documentation, and some requests have heightened verification in some circumstances and not others. Together all of these possible combinations make mapping out all of the possible outcomes very challenging. For most large businesses, however, this mapping is necessary because the business requires a standardized set of processes and procedures that can be picked up and operationalized. Hopefully your business has already mapped out the possibilities, but if you have deferred this process (possibly thinking it was not as important as getting disclosures up) now is the time to work through this daunting task.
Tracking the Previously Untracked:
One potentially overlooked aspect of CCPA is that it will require businesses to track information in ways that it previously has not. One example is the simple requirement in Section 1798.100(b) that a business shall not “use personal information collected for additional purposes without providing the consumer with notice consistent with this section.” While simple on its face, in practice most businesses have never had to track what uses it disclosed when it collected information and have no mechanism for someone in the future to go back and determine what uses are permissible. A similar requirement contained in Section 999.313(d)(6)(c) says that when a business denies a consumer’s request to delete information it shall “[n]ot use the consumer’s personal information retained for any other purpose than provided for by that exception [relied on to not delete].” Consider the implications of that requirement. Not only does a business have to track its reason for not deleting information and limit its use of that information to what it stated as the exception, it must do so on a per consumer basis for only those consumers who made deletion requests. This presents several challenges given that the information subject to such a request may be dispersed across many data stores with no way of tagging that data for a particular use restriction. It also highlights the importance of taking positions as outlined above because if the initial response to the disclosure does not fully set forth all exceptions, the business may later be confronted with a need to use the information for a purpose that was not identified as an exception.
The Only Constant Is Change:
As noted above, many parts of the CCPA are far from settled. As the requirements and interpretations of CCPA are further developed through regulation and litigation, companies need to be prepared to make changes to their practices, policies, and processes to comply. Similarly, internal changes within the company that affect data collection, use, disclosure, sharing, and selling will need to be monitored. Stakeholders should regularly update their CCPA compliance programs and related documentation to track any internal changes relating to data practices to ensure that CCPA compliance is maintained.
These are just a few of the key requirements that deserve some attention in the new year. The requirement to document and record responses means that even decisions made early on can be scrutinized for at least two years, meaning businesses need to dive in and address these issues now to standardize their approaches.
This blog post was originally published and distributed on the Bradley website as a Cybersecurity and Privacy Alert on January 6, 2020.