As reported in our last newsletter, California has enacted a game-changer in the U.S. privacy regime. Concepts imported from the EU General Data Protection Regulation, such as the right to be forgotten, will be introduced to American shores for the first time. Businesses that are subject to the California Consumer Privacy Act (California Code, Cal. Civ. Code tit. 1.81.5, the “CaCPA”) need to plan now for the upcoming requirements. Even though additional amendments are expected in the coming months, the basic concepts are not expected to change, and their requirements will impose significant obligations that will require planning and preparation long in advance of the effective date of January 1, 2020, and the enforcement date by July 1, 2020 (the law provides for an enforcement date of the earlier of July 1, 2020 or six months after the date that the California Attorney General issues the final regulations).
Rights and Obligations under the CaCPA
- Notice of Rights Under the CaCPA. California Code, Cal. Civ. Code § 1798.100 requires businesses to provide consumers with a notice of their rights under the CaCPA. These notices must be prepared in advance and provided to consumers at or prior to the time when personal information is collected, on and after the effective date of January 1, 2020.
- Disclosure Requirements. The CaCPA requires businesses to disclose a variety of information to consumers. California Code, Cal. Civ. Code § 1798.100. When or before personal information is collected, the business must disclose to the consumer the categories of personal information to be collected and the purposes for which the categories of personal information will be used. In addition, upon request (up to twice in any 12-month period), businesses must disclose the categories and specific pieces of personal information the business has collected from the consumer. These disclosure obligations require businesses to understand fully their data collection and use practices, map and control the sharing and transmission of data, and craft appropriate disclosures in advance of the effective date.
- Right to be Forgotten. The CaCPA provides consumers with the right to demand that a business delete all personal information collected by the business from the consumer – commonly referred to as the right to be forgotten. California Code, Cal. Civ. Code § 1798.105. To respond to these demands, businesses will need to map their consumer data to be able to identify all places within the organization where the data resides, including all of the business’s systems, paper files, and third party vendor relationships. Compliance with this requirement will mean that the business can find and delete the information, and document and confirm its satisfaction of the demand.
- Opt-Out Right for Sales of Personal Information. If a business sells personal information, each consumer must be afforded the right to direct the business not to sell the consumer’s personal information. California Code, Cal. Civ. Code § 1798.120. Notice of this opt-out right must be provided to consumers in accordance with prescribed requirements. California Code, Cal. Civ. Code § 1798.135.
Planning for Compliance
In order to be in compliance with the requirements of the CaCPA, businesses will need to take the following actions, beginning early in 2019:
- Project Plan and Timeline. Right after the New Year, assemble a team responsible for CaCPA compliance. The team should develop a timeline leading up to full compliance on January 1, 2020. The required activities, policies and procedures need to be identified and planned for development, drafting and implementation.
- Data Mapping. Unlike other data mapping projects undertaken by many U.S. businesses, compliance with the CaCPA will require a deeper understanding of a broader set of data. Beyond prior definitions of personal information and nonpublic information, the definition of personal information under the CaCPA requires business to understand all information identifiable to an individual, regardless of format (including paper), whether or not publicly available, including even simple contact information. Therefore, new systems, operations, and third party relationships will need to be mapped to determine what information is collected, how and from whom it is collected, where it resides and how it is used, with whom it is shared, and how it can be deleted.
- Processes for Responding to Consumer Requests and Demands. Each business must establish processes to receive, track, and respond to consumer requests and demands to comply with the requirements of the CaCPA. California Code, Cal. Civ. Code § 1798.130. For example, the CaCPA permits each consumer to request his or her information up to twice in any 12-month period. Businesses should decide how they will respond to additional requests that may be received within the period, and plan their response accordingly. Protocols must also be established for third party service providers, in order to identify those related to any particular request or demand, require their compliance with the various provisions of the CaCPA (such as to delete particular consumer information), and control their further use or dissemination of the information.