The Top 5 Reasons Your CCPA Work Is Far from OverSo, you managed to get your California Consumer Privacy Act disclosures and privacy policy up on your website and you can finally take some much-needed rest, right? Think again. And no, it’s not because of the “CCPA-like” statutes coming to a state near you that you’re undoubtedly reading about (and yes, they are coming). It’s because CCPA requires a large amount of implementation beyond the disclosures and notices. And importantly, much of that implementation will be scrutinized by those making requests (and who could pass it along to the plaintiff’s bar or California attorney general). Here is a list of a few important considerations that you may have tabled while trying to get disclosures up on your site, which now deserve your full attention.

  1. Training, Training, Training:

    Not only does Section 999.317 of the California AG’s draft regulations mandate training for “[a]ll individuals responsible for handling consumer inquiries about the business’s privacy practices or the business’s compliance with the CCPA,” but training is also operationally crucial for those handling the verified consumer requests. One of the more difficult aspects of putting together CCPA disclosures was determining how a business would verify requests. For a typical business with a variety of contexts in which it interacts with consumers, a one-size-fits-all approach may not work in practice. This means that those handling requests need to be prepared to receive requests from consumers that may not fit neatly into the defined structure, which will require them to have a working understanding of the CCPA. Even those that have helped design the processes may discover new groups that need to be handled differently, so everyone will need enough knowledge to be agile while the processes are ironed out.

Additionally, training will be necessary for all employees on how to recognize a CCPA request. Section 999.312(f) mandates that all employees recognize a potential CCPA request by requiring that a company respond to any individual who makes a request — even if that request is deficient or not made through the proper channels. In other words, any employee in the company could potentially receive a CCPA request via email, phone or even in person that would require that employee to know how to direct the consumer to the proper request mechanism.

  1. Response Permutations:

    While assisting our clients we tried to run through every permutation of possible outcomes for responses, and there are an enormous number of possibilities. The draft regulations are chock full of details that create unique circumstances. There are requirements for different types of requests (requests for specific pieces of information, for different categories of information, and for deletion). Some requests require declarations, authorized agents require additional documentation, and some requests have heightened verification in some circumstances and not others. Together all of these possible combinations make mapping out all of the possible outcomes very challenging. For most large businesses, however, this mapping is necessary because the business requires a standardized set of processes and procedures that can be picked up and operationalized. Hopefully your business has already mapped out the possibilities, but if you have deferred this process (possibly thinking it was not as important as getting disclosures up) now is the time to work through this daunting task.

  1. Taking Positions:

    The CCPA disclosures and privacy policy deserved a large amount of attention because they are online for all to see and compare. They create a record of compliance, or lack thereof, and reflect legal analysis, business decisions and risk assessment. This makes them somewhat unique in that there are not many public statements that companies must make where there is so much ambiguity and uncertainty in the face of potentially large consequences for non-compliance. A casual perusal and comparison of CCPA disclosures and policies online demonstrates that even very large companies are far from settled on a uniform approach. But a business’ obligation to take legally informed positions and set them out in writing does not end with its disclosures and privacy policies. Instead, businesses will have to continue to take and document such positions in responding to requests due to requirements set out in the draft regulations. For example, Section 999.313(c)(5) requires that if a business denies a consumer’s verified request to know specific pieces of information due to a conflict with state or federal law, that the business “inform[s] the requestor and explain the basis for the denial.” Similarly, Section 999.313(d)(6)(a) requires a business that denies a deletion request to “describe the basis for the denial, including any statutory and regulatory exception therefor. . .” In both circumstances the business has to set forth its basis by reference to a law, which implies a legal analysis and conclusion. Therefore, these affirmative analyses are open to scrutiny by the recipients and others that may review them. Further, the business must maintain a record of all requests for at least 24 months, which includes “the basis for the denial of the request if the request is denied in whole or in part” (see Section 999.317 of the draft regulations).

  1. Tracking the Previously Untracked:

    One potentially overlooked aspect of CCPA is that it will require businesses to track information in ways that it previously has not. One example is the simple requirement in Section 1798.100(b) that a business shall not “use personal information collected for additional purposes without providing the consumer with notice consistent with this section.” While simple on its face, in practice most businesses have never had to track what uses it disclosed when it collected information and have no mechanism for someone in the future to go back and determine what uses are permissible. A similar requirement contained in Section 999.313(d)(6)(c) says that when a business denies a consumer’s request to delete information it shall “[n]ot use the consumer’s personal information retained for any other purpose than provided for by that exception [relied on to not delete].” Consider the implications of that requirement. Not only does a business have to track its reason for not deleting information and limit its use of that information to what it stated as the exception, it must do so on a per consumer basis for only those consumers who made deletion requests. This presents several challenges given that the information subject to such a request may be dispersed across many data stores with no way of tagging that data for a particular use restriction. It also highlights the importance of taking positions as outlined above because if the initial response to the disclosure does not fully set forth all exceptions, the business may later be confronted with a need to use the information for a purpose that was not identified as an exception.

  1. The Only Constant Is Change:

    As noted above, many parts of the CCPA are far from settled. As the requirements and interpretations of CCPA are further developed through regulation and litigation, companies need to be prepared to make changes to their practices, policies, and processes to comply. Similarly, internal changes within the company that affect data collection, use, disclosure, sharing, and selling will need to be monitored. Stakeholders should regularly update their CCPA compliance programs and related documentation to track any internal changes relating to data practices to ensure that CCPA compliance is maintained.

These are just a few of the key requirements that deserve some attention in the new year. The requirement to document and record responses means that even decisions made early on can be scrutinized for at least two years, meaning businesses need to dive in and address these issues now to standardize their approaches.

This blog post was originally published and distributed on the Bradley website as a Cybersecurity and Privacy Alert on January 6, 2020.