Effective January 1, 2020, the California Consumer Privacy Act of 2018 (“CCPA”) will impose new privacy obligations on certain businesses that collect personal information of residents of California and are responsible for (or jointly with others) determining the purposes and means of the processing of such information. As a follow up to our prior article (Are We Covered by the CCPA?), below is a list of action items, key deliverables, and target dates to create your compliance program in time for the CCPA’s effective date.
Action Item |
Key Deliverables |
Target Deliverable Date |
Data Mapping |
Review what type of personal information is collected by the business and how it is processed, including to whom it is transmitted or made accessible, and where it is stored. Create a data map. |
May 31, 2019 |
Draft Policies and Procedures |
Draft policies and procedures that document how the business intends to comply with its responsibilities under the CCPA. For example, develop a policy and procedure to review data and systems periodically, verify the validity of consumer requests, respond to consumer requests (including protocols for deleting data), and manage vendor contracts. |
July 31, 2019 |
Draft Disclosure
Notices |
Draft required notices: (i) consumer’s rights under CCPA (such as the right to request what categories and specific data is held by business, right to be forgotten, right to opt out of sale of personal information) and (ii) business’ collection of personal information and the purposes for which such information will be used. |
August 31, 2019 |
Review and Amend Vendor Contracts |
Review and, as necessary, amend contracts with third party service providers to ensure the business can compel its vendors to comply with CCPA requirements. For example, if a vendor maintains data that is required to be disclosed to a consumer or deleted upon request, the vendor must be obligated to do so in the service agreement. |
November 30, 2019 |
Draft form request and response letters |
Draft forms for consumers to use in exercising their various rights under the CCPA and draft form response letters for the business. For example, draft a consumer request for categories and specific data collected by a business, as well as a response letter, including a form for when the response is to not disclose the information (such as when the consumer has submitted more than 2 requests within a 12-month period). |
December 31, 2019 |
As this timeline indicates, it is imperative that a business begins its compliance efforts immediately in order to be prepared for the onerous requirements in advance of the CCPA effective date of January 1, 2020. Even though the CCPA enforcement date is the earlier of July 1, 2020 or six months following the date that the California Attorney General issues regulations under the CCPA, businesses must comply with the CCPA requirements beginning January 1, 2020.
We will be publishing additional Quick Studies on the CCPA to help clients understand the various requirements. For help with developing your business’ compliance program, please contact any member of our team.