The CCPA: 5 Practical Steps to Get Started (And Yes, The Time Is Now)
While there is much about the California Consumer Privacy Act that remains unclear (with the continued potential for legislative amendment and expected guidance from the Attorney General), there is also much that is known. With an implementation date as early as January 1, 2020, there are steps companies should be taking now to start their compliance program – and which will help guide and streamline compliance going forward:
1. Know Your Data
It is essential to know the data you collect, where (and who) it comes from, how it is organized and where it is stored (often referred to as “data mapping”). Some companies may have done this or a level of this for GDPR or other compliance, others may be starting almost from scratch. This is step 1 for any privacy and data security compliance program and an essential component of corporate risk management: you can’t disclose, manage or protect what you do not know you have. And, don’t forget offline data (if you have it).
2. Data Hygiene
Once you have done the work to understand your data, consider whether there are changes to be made. Has your risk/benefit/cost analysis changed since you acquired the data? Do you have data you are no longer using and it no longer makes sense to continue storing and securing it? Is there data that should be aggregated, de-identified or brought offline?
Also, look closely at the data fields you have about your consumers. Are there categories of data that are not providing significant value (or are not being used at all) that may have significant PR risk or that otherwise would make sense to stop collecting?
3. Understand All Relevant 3rd Party Relationships
It is essential to know every 3rd party with whom you share data or provide access to your data – including through cookies, web tags and APIs. Some may no longer be relevant (e.g., tags from third parties you no longer have a business relationship with but that have not yet been removed) and others that will need to be evaluated for value. At a minimum, you should attempt to track down all 3rd party relationships by asking key business personnel in all relevant departments, obtaining a list of 3rd party contracts entered into over the past 12-18 months, scanning your web sites for third party tracking technologies, and cross checking against all vendors paid during the prior 12 months.
4. Categorize Your 3rd Party Relationships
Once you have framed the universe of relevant 3rd parties who touch your data in any way, you should categorize those relationships as: (1) business purposes; (2) selling and online advertising; and (3) other. You will then be able to consider the compliance needed for each of these categories and how to go about obtaining it. Online advertising relationships will likely need additional considerations, and to some extent, an industry response to address the requirements under CCPA.
5. Create a Project Plan and Timeline
Almost all compliance will flow from the 4 steps outlined above. Create a project plan with the specific steps needed to come into full compliance and assign appropriate internal resources to accomplish it within designated timeframes. Also consider if and how you will utilize 3rd party outside resources to assist with your compliance program.