California Consumer Privacy Act: A Priority for 2019‎

As reported in our last newsletter, California has enacted a game-changer in the U.S. privacy regime. Concepts imported from ‎the EU General Data Protection Regulation, such as the right to be forgotten, will be introduced to American shores for the ‎first time. Businesses that are subject to the California Consumer Privacy Act (California Code, Cal. Civ. Code tit. 1.81.5, the ‎‎“CaCPA”) need to plan now for the upcoming requirements. Even though additional amendments are expected in the com‎ing months, the basic concepts are not expected to change, and their requirements will impose significant obligations that ‎will require planning and preparation long in advance of the effective date of January 1, 2020, and the enforcement date by ‎July 1, 2020 (the law provides for an enforcement date of the earlier of July 1, 2020 or six months after the date that the Cali‎fornia Attorney General issues the final regulations). ‎

Rights and Obligations under the CaCPA

• Notice of Rights Under the CaCPA. California Code, Cal. Civ. Code § 1798.100 requires businesses to provide consumers with a ‎notice of their rights under the CaCPA. These notices must be prepared in advance and provided to consumers at or prior ‎to the time when personal information is collected, on and after the effective date of January 1, 2020.‎
• Disclosure Requirements. The CaCPA requires businesses to disclose a variety of information to consumers. California Code, ‎Cal. Civ. Code § 1798.100. When or before personal information is collected, the business must disclose to the consumer ‎the categories of personal information to be collected and the purposes for which the categories of personal information ‎will be used. In addition, upon request (up to twice in any 12-month period), businesses must disclose the categories and ‎specific pieces of personal information the business has collected from the consumer. These disclosure obligations re‎quire businesses to understand fully their data collection and use practices, map and control the sharing and transmission ‎of data, and craft appropriate disclosures in advance of the effective date. ‎
• Right to be Forgotten. The CaCPA provides consumers with the right to demand that a business delete all personal infor‎mation collected by the business from the consumer – commonly referred to as the right to be forgotten. California Code, ‎Cal. Civ. Code § 1798.105. To respond to these demands, businesses will need to map their consumer data to be able to ‎identify all places within the organization where the data resides, including all of the business’s systems, paper files, and ‎third party vendor relationships. Compliance with this requirement will mean that the business can find and delete the in‎formation, and document and confirm its satisfaction of the demand. ‎
• Opt-Out Right for Sales of Personal Information. If a business sells personal information, each consumer must be afforded the ‎right to direct the business not to sell the consumer’s personal information. California Code, Cal. Civ. Code § 1798.120. No‎tice of this opt-out right must be provided to consumers in accordance with prescribed requirements. California Code, Cal. ‎Civ. Code § 1798.135.‎

Planning for Compliance

In order to be in compliance with the requirements of the CaCPA, businesses will need to take the following actions, beginning early in 2019:‎

• Project Plan and Timeline. Right after the New Year, assemble a team responsible for CaCPA compliance. The team should ‎develop a timeline leading up to full compliance on January 1, 2020. The required activities, policies and procedures need ‎to be identified and planned for development, drafting and implementation. ‎
• Data Mapping. Unlike other data mapping projects undertaken by many U.S. businesses, compliance with the CaCPA will re‎quire a deeper understanding of a broader set of data. Beyond prior definitions of personal information and nonpublic ‎information, the definition of personal information under the CaCPA requires business to understand all information iden‎tifiable to an individual, regardless of format (including paper), whether or not publicly available, including even simple ‎contact information. Therefore, new systems, operations, and third party relationships will need to be mapped to deter‎mine what information is collected, how and from whom it is collected, where it resides and how it is used, with whom it is ‎shared, and how it can be deleted. ‎
• Processes for Responding to Consumer Requests and Demands. Each business must establish processes to receive, track, and ‎respond to consumer requests and demands to comply with the requirements of the CaCPA. California Code, Cal. Civ. ‎Code § 1798.130. For example, the CaCPA permits each consumer to request his or her information up to twice in any ‎‎12-month period. Businesses should decide how they will respond to additional requests that may be received within the ‎period, and plan their response accordingly. Protocols must also be established for third party service providers, in order ‎to identify those related to any particular request or demand, require their compliance with the various provisions of the ‎CaCPA (such as to delete particular consumer information), and control their further use or dissemination of the infor‎mation. ‎