The CCPA has reached the one-year mark. This is a good time for businesses to review the success of their compliance programs and recalibrate for the CCPA’s second year. Here are a few suggestions to kick off that review:
- Privacy Policies. The CCPA requires a business to update the information in its privacy policy or any California-specific description of consumers’ privacy rights at least once every twelve months. If a business has not already done so, now is a good time to review both online and offline data collection practices to ensure privacy policies accurately disclose, at a minimum, the categories of personal information (“PI”) it collected in the preceding 12 months, the categories of PI it sold in the preceding twelve months, and the categories of PI it disclosed for a business purpose in the last 12 months.
Given the challenges of the last several months, a business may be collecting PI beyond what it currently discloses in its privacy policies. For example, a company may need to update its privacy policies to disclose the collection and use of COVID-19 related screening information, biometric information, or PI collected as a result of remote work situations.
If the business needs to update its privacy policy to reflect additional data collection activities, it will likely need to update its “notices at collection”, including employee and job applicant privacy notices.
- Employee training. The CCPA provides that a business shall ensure all individuals responsible for handling inquiries on consumer rights, the businesses’ privacy practices, or its compliance with the CCPA are informed of applicable CCPA requirements. Businesses will want to review their training programs to ensure they now include appropriate CCPA related training; determine whether employee handbooks and manuals have been updated accordingly; and, document that relevant employees have received training.
- Reasonable Safeguards. The CCPA does not currently impose an affirmative obligation on a business to implement reasonable safeguards to protect consumer PI; however, it provides a consumer private right of action where the consumer’s PI has been involved in a data breach resulting from the business’s failure to implement reasonable security safeguards. As a best practice, a business will want to review whether it has performed a risk assessment, at least annually, to identify new or enhanced risks, threats, or vulnerabilities to its systems or the PI it collects or maintains; whether it has reviewed and updated its written information security program and data retention schedule; and whether it has practiced its incident response plan.
CCPA compliance is an ongoing activity and these three action items are particularly worthy of review at the one-year mark. However, further year-end review might also include an assessment of the business’s website’s accessibility; confirmation that service provider agreements have been amended to satisfy the CCPA, where appropriate; and all new service provider contracts include relevant CCPA provisions.
Although this post is focused on the CCPA, it is important to note that California recently passed the Consumer Privacy Rights Act (“CPRA”). The CPRA supplements and amends the CCPA. Two CPRA provisions are worth noting as they relate to items on this action item list. First, effective January 1, 2023, businesses will have an affirmative obligation to implement reasonable safeguards. Second, businesses will be required to disclose their collection and use of “sensitive personal information” and shall permit individuals to limit the business’s use of this information in certain circumstances. By adding these new provisions, the CPRA builds upon and expands the CCPA, inching it a bit closer to the EU General Data Protection Regulation.