It’s January 2, 2020, and you just received 25 requests asking for disclosure about your data collection, use and sharing practices and for a copy of the specific pieces of personal information you collected about the requesting individuals during the last 12 months. You have 45 days to respond. What do you do? Close down the business so you can find the information? By being prepared you can avoid a crisis.
The California Consumer Privacy Act of 2018 (CCPA) goes into effect on January 1, 2020, and affects for-profit companies selling goods or services in or into California with $25 Million in annual gross revenues or that meet thresholds for collection or sale of personal data on anyone residing in California. The Act grants “consumers” (any California resident regardless of whether there is a customer or any other relationship with the covered business) five new rights respecting their personal information:
Building a Data Inventory
Building a data inventory that includes the types of information that will be required for your disclosures under the CCPA is a rational first step towards compliance. To create a data inventory you will need to survey all aspects of your business, from Marketing to IT to HR to Vendor Management and all points where you receive information from any source and in any format. You may be surprised to learn all the places where personal information is hiding. The inventory should include:
(For more information about CCPA and its ramifications, or for information about properly creating and orchestrating a crisis prevention plan around CCPA requests for information, please contact the authors.)
1. CCPA’s requirements do not apply to “medical information” subject to the California Confidentiality of Medical Information Act (CMIA) or to “protected health information” collected by covered entities and business associates under the HIPAA Privacy, Security and Breach Notification Rules. Moreover, providers of health care subject to CMIA and covered entities subject to HIPAA are not covered businesses under CCPA if they maintain all patient information in the same manner they maintain “medical information” or “protected health information” subject to CMIA and HIPAA, respectively. CCPA also exempts information collected, processed, sold or disclosed pursuant to the federal Gramm-Leach-Bliley Act or the California Financial Information Privacy Act as well as other exemptions.