CCPA 12-Month Compliance Series

At the core of complying with the CCPA is knowing how to deal with consumer’s requests with respect to any of the eight rights regarding their personal information (PI), which are:

  1. An abbreviated right to disclosure regarding PI collected (§1798.100)
  2. An expanded right to disclosure regarding PI collected (§1798.110(a))
  3. Right to disclosure regarding PI sold or disclosed for a business purpose (§1798.115)
  4. Right to opt-out of sale of PI (§1798.120)
  5. Right to opt-in for sale of minor’s PI (§1798.120(c))
  6. Right to deletion of PI collected (§1798.105)
  7. Right to access PI (§1798.100(d))
  8. Right to not be discriminated against (§1798.125)


Continue Reading CCPA 12-Month Compliance Series Part 5: Responding to Consumer Requests

A business that is subject to the CCPA will need to update its consumer-facing online privacy policy. At a bare minimum, a privacy policy (and any California-specific privacy disclosure) must disclose:

  • A description of a consumer’s right to disclosure regarding the personal information (“PI”) that the business has collected about the consumer, a consumer’s right to disclosure regarding the business’s sale of her or his PI, and a consumer’s right not to be discriminated against for exercising any rights under the CCPA [Cal. Civ. Code §1798.130(a)(5)(A)];
  • Categories of PI collected, sold, or disclosed in the preceding 12 months [Cal. Civ. Code §1798.130(a)(5)(B)&(C)]; and
  • Two or more designated methods for submitting consumer requests, including a toll-free number and a website address [Cal. Civ. Code §1798.130(a)(1)].


Continue Reading CCPA 12-Month Compliance Series Part 4: Update Your Privacy Policy

After conducting a data inventory (see Part 2 of our CCPA series), a business should assess its risks by benchmarking its policies and practices with applicable privacy laws and regulations. Conducting a gap analysis is a critical tool in identifying compliance gaps and developing a plan to bridge those gaps. See e.g.Stipulated Order for Permanent Injunction and Monetary Judgment, Federal Trade Commission & Others v. Vizio, Inc., No. 2:17-cv-00758 (D.N.J. Feb. 6, 2017), Document 1-3 at 5 (privacy program includes addressing privacy risks related to the development and management of new and existing products and services) and CNIL (the French Data Protection Authority) Guidance on Six Steps for GDPR Compliance (step three to identify actions to comply with current/future obligations and to prioritize such actions based on risks).
Continue Reading CCPA 12-Month Compliance Series Part 3: Conduct a Gap Analysis

To comply with the CCPA, you need to know your data. You need to know what personal information you collect, where it is collected and stored, and whether, to whom, and for what purpose, it is shared or sold. And to know your data, you need to conduct a thorough data inventory.

The process of creating and maintaining a data inventory differs from company to company; however, several key steps are common across industries. First, you need to identify all personal information your company is collecting and where, or from whom, such information is obtained. You also need to identify where the personal information is stored and whether it is shared or sold to others. If personal information is shared with or sold to others, you need to know to whom and for what purpose. In addition, the inventory should have a mechanism to track the 12-month “lookback” period for responding to consumer data requests. If you had prepared a data inventory for GDPR, that would be helpful, but it would not be the end-all for CCPA compliance, as GDPR inventories (or Article 30 reports) are typically limited to personal information flowing from the European Union and to the data elements contained within GDPR’s definition of “personal data.”
Continue Reading CCPA 12-Month Compliance Series Part 2: Know Your Data

The California Office of the Attorney General (OAG) will be promulgating regulations to further and provide guidance regarding the California Consumer Privacy Act (CCPA). You can participate in the rulemaking process.

The OAG is holding public forums where all members of the public are invited to speak (RSVP) or simply attend. We reported on the first two forums in San Francisco and San Diego here.
Continue Reading CCPA 12-Month Compliance Series Part 1: Participate in Rulemaking