Alert
Alert
05.01.19
It’s January 2, 2020, and you just received 25 requests asking for disclosure about your data collection, use and sharing practices and for a copy of the specific pieces of personal information you collected about the requesting individuals during the last 12 months. You have 45 days to respond. What do you do? Close down the business so you can find the information? By being prepared you can avoid a crisis.
The California Consumer Privacy Act of 2018 (CCPA) goes into effect on January 1, 2020, and affects for-profit companies selling goods or services in or into California with $25 Million in annual gross revenues or that meet thresholds for collection or sale of personal data on anyone residing in California. The Act grants “consumers” (any California resident regardless of whether there is a customer or any other relationship with the covered business) five new rights respecting their personal information:
From the perspective of covered businesses, these new rights create obligations to expand and annually update their privacy policy disclosures, to provide the on-demand disclosures to verified consumers within 45 days of receiving a request, to delete personal information upon request, and to refrain from selling personal information upon request.1
The disclosures that the business will be required to make in its privacy policy and to on-demand requesting parties include the categories of personal information collected in the last 12 months, how it is used, the sources of the information, with whom it is shared, how long it must be retained (for erasure requests), to whom it is sold and the specific personal information about a requesting individual. Unless the business knows where its information is located it will not be able to fulfill these requirements of the CCPA.
Building a Data Inventory
Building a data inventory that includes the types of information that will be required for your disclosures under the CCPA is a rational first step towards compliance. To create a data inventory you will need to survey all aspects of your business, from Marketing to IT to HR to Vendor Management and all points where you receive information from any source and in any format. You may be surprised to learn all the places where personal information is hiding. The inventory should include:
Once you know what data you have and where it is, you will be able to use the data inventory to build out the disclosures required by the CCPA both in your public-facing privacy policy and in templates for your on-demand disclosure responses.
(For more information about CCPA and its ramifications, or for information about properly creating and orchestrating a crisis prevention plan around CCPA requests for information, please contact the authors.)
1. CCPA’s requirements do not apply to “medical information” subject to the California Confidentiality of Medical Information Act (CMIA) or to “protected health information” collected by covered entities and business associates under the HIPAA Privacy, Security and Breach Notification Rules. Moreover, providers of health care subject to CMIA and covered entities subject to HIPAA are not covered businesses under CCPA if they maintain all patient information in the same manner they maintain “medical information” or “protected health information” subject to CMIA and HIPAA, respectively. CCPA also exempts information collected, processed, sold or disclosed pursuant to the federal Gramm-Leach-Bliley Act or the California Financial Information Privacy Act as well as other exemptions.