the minimum requirements for the January 2020 CCPA deadline

Photo by Philipp Katzenberger on Unsplash

January 2020 is almost here so it is crucial for companies to be compliant with the CCPA regulations. A lot of EU companies didn’t take the May 25th, 2018 GDPR deadline seriously, since they knew auditors and regulators will likely focus only on the tech giants in the beginning. Given the fact that the US is more litigious, and that there are a number of US law companies whose sole purpose is to file class actions law suits against non compliant companies, it is crucial to be ready the CCPA Jan 1st, 2020 deadline.

If a business is required to meet the CCPA requirements, at a minimum, they must implement the following procedures:

1. Create an internal data inventory

Create a data inventory to track the company’s data and processing activities. This is a very important step since this information will help lawyers draft required updates to the company’s privacy policy. The data mapping can be as comprehensive as you want, but at a minimum if should include:

What personal information is collected; What are the business use cases for collecting the personal information; For how long is the personal information being stored.

2. Create a data inventory of third party vendors

Businesses should also map all third party vendors they are sharing personal information with. Data similar to the internal data inventory should be captured:

What PI is shared with the vendor; What are the business use cases for sharing the PI with a vendor;

In addition to providing updates with respect to changes to the company’s privacy policy, this data mapping should be used to review contractual obligations between the company and its vendors in order to prohibit vendors from retaining, using, or disclosing the personal information for any purpose other than the one of performing the services specified.

3. Update the company’s privacy policy

Update the company’s privacy policy to disclose what personal information is collected, how the information is used, and with whom the information is shared.

Privacy policies must also inform customers of their new rights under the CCPA:

the right to obtain copies of personal information

the right to request deletion of personal information

the right to opt out of the sale of personal information

4. Provide two ways for customers to submit data requests

A company needs to provide at least two methods, free of charge, that allow customers to submit data requests.

There are a few ways in which this can be done; however, if companies are rushing to become compliant by the end of the year, providing a toll-free number and a dedicated address in your privacy policy should be enough.

Document all the requests and your responses so you have a clear record in case of any audit.

If a company is selling customers’ personal information, the company’s website, as well as its privacy policy, must include links with “Do Not Sell My Personal Information”. These links should take the users to the methods defined above or to a page where they can directly opt-out.

5. Determine whether a customer is under 16 years of age

The CCPA prohibits businesses from selling the personal information of California customers who are under 16 years of age. Willfully disregarding the customer’s age doesn’t insulate businesses from complying.

If the business does not target users under 16 years old, it is still recommended to provide a checkbox confirming their age before collecting any personal information. You don’t need to backfill age for existing customers.

If you do target users under 16 years old, you need to request explicit consent authorizing the sale of their personal information.

6. Define procedures for responding to customers’ requests

Since businesses have 45 days to disclose and deliver to their customers the requested personal information, they DON’T NEED to have this ready by Jan 2020, but it is something very important to keep in mind.

Define procedures that describe how requests for access, requests for deletion, or requests for opt-in out are processed. These procedures can be manual or automatic; however, companies need to make sure they cover all internal and third party systems (digital as well as non-digital).