CCPA Guide: We Are Covered, So Now What Do We Do? Create a Project Plan!

Privacy & Cybersecurity Newsletter
August 2019

Effective January 1, 2020, the California Consumer Privacy Act of 2018 (CCPA) will impose new privacy obligations on certain businesses that collect personal information of residents of California and are responsible for (or jointly with others) determining the purposes and means of the processing of such information. As a companion to our articles in this Newsletter, Are You Covered by the CCPA?, and Does Personal Information Include Employee and Employee Benefit Plan Data?, below is a list of action items, key deliverables, and target dates to create a compliance program in time for the CCPA’s effective date.

As this timeline indicates, it is imperative that a business begins its compliance efforts immediately in order to be prepared for the onerous requirements in advance of the CCPA effective date of January 1, 2020. Even though the CCPA enforcement date is the earlier of July 1, 2020 or six months following the date that the California Attorney General issues regulations under the CCPA, businesses must comply with the CCPA requirements beginning January 1, 2020.

Action Item  Key Deliverables  Target Deliverable Date 
Data Mapping  Review what type of personal information is collected by the business and how it is processed, including to whom it is transmitted or made accessible, and where it is stored. Create a data map.  August 31, 2019 
Draft Policies and Procedures  Draft policies and procedures that document how the business intends to comply with its responsibilities under the CCPA. For example, develop a policy and procedure to review data and systems periodically, verify the validity of consumer requests, respond to consumer requests (including protocols for deleting data), and manage vendor contracts.  September 30, 2019 
Draft Disclosure Notices Draft required notices: (i) consumer's rights under CCPA (such as the right to request what categories and specific data is held by business, right to be forgotten, right to opt out of sale of personal information) and (ii) business' collection of personal information and the purposes for which such information will be used.  September 30, 2019 
Review and Amend Vendor Contracts  Review and, as necessary, amend contracts with third party service providers to ensure the business can compel its vendors to comply with CCPA requirements. For example, if a vendor maintains data that is required to be disclosed to a consumer or deleted upon request, the vendor must be obligated to do so in the service agreement.  November 30, 2019 
Draft form request and response letters  Draft forms for consumers to use in exercising their various rights under the CCPA and draft form response letters for the business. For example, draft a consumer request for categories and specific data collected by a business, as well as a response letter, including a form for when the response is to not disclose the information (such as when the consumer has submitted more than 2 requests within a 12-month period).  December 31, 2019