Saturday Sitrep: Compliance with the CCPA
The California Consumer Protection Act (CCPA) is in effect, and now organizations must comply with its requirements. Currently, personal data originating from individuals residing in California (“Consumers”) is the focus of the CCPA. There is a one year hold on enforcement for non-Consumer personal data, but companies should not sleep on that deadline. Complying with the CCPA requires an organization to understand (1) what data it collects, (2) where that data comes from, (3) and how it handles that data throughout its lifecycle with the organization. The first step can be difficult for an organization that hasn’t performed any data flow or data mapping exercises before.
Despite the trend towards the free flow of information, it can be difficult for one individual or department in an organization to know every category of information that passes through it. The heads of different functional groups should be queried for what information they routinely handle, and you can form a rough understanding of the data your organization handles from their replies. For the second step, a good place to start is to determine what clients your organization serves, as all corporate client data will be covered under the business-to-business exception for a year. This should allow you to determine what individual clients your organization serves, and you can create your mailing list from this data. All individual Consumers will have to be provided notice of what personal data you collected and what you use it for. Any third-parties that you employ to handle this Consumer data should be contacted about their CCPA compliance and you may have to introduce a CCPA addendum into your agreement with them. The third step will help you create the Consumer notice and vendor addendum, as you’ll be able to provide specifics about any information your organization handles.