Preparing for CCPA and Beyond — Axiom Privacy Experts Offer Insight
By Axiom Law
California’s new privacy law, the California Consumer Privacy Act, goes live on January 1, 2020. The law will impact a wide range of companies that do business within the state, which could include over 500,000 companies, according to one estimate. Because California is one of many jurisdictions that have passed or are considering new privacy regulation, it's imperative companies take data privacy seriously.
Axiom’s lawyers have completed over 450 data privacy engagements in 2018 and 2019 alone. We asked Dina Maxwell and Carlyn Epstein, two Axiom lawyers with extensive experience in data privacy, to share insight on what companies can prioritize in order to prepare for CCPA. Both have worked with numerous companies to help them prepare and maintain privacy compliance, and to work privacy into their regular business practices and organizational design.
What are top learnings from GDPR that companies could apply in preparation for CCPA?
1. Understand your business and prioritize issues accordingly. Some areas of compliance will be more important to particular clients than others, so it’s important to prioritize.
2. Be strategic – don’t tackle all compliance issues at once. Privacy compliance is definitely a marathon, not a sprint, so understand that it will take time to reach a reasonable level of compliance.
3. Present “Good,” Better,” and “Best” options for compliance. The cost of compliance can be high, and with the introduction of laws that are increasingly complex, it is important to find solutions that are not only compliant, but that factor in issues such as size of the organization, resources and staffing available, and key risk areas. Overall, organizations are better off tackling the most important compliance areas, such as breach response and data subject access requests, rather than spending all of their time and resources perfecting one aspect of compliance, like spending all budgeting on perfecting an expensive data inventory system.
As we have seen with GDPR, we can expect regulators to be keen to look for violations and to levy fines. Companies should expect an uptick in data subject access requests, and in requests to delete data. Thanks to GDPR, consumers have never been more aware of their rights with respect to their data, and they are increasingly exercising those rights.
1. Not everyone is “ready to comply.” Companies are all over the place in their preparations, and a lot of companies might be waiting to see how the regulatory landscape pans out, but a lot of them might just be way behind. While larger companies tend to be more prepared, the size of a company impacts how much infrastructure buildout they have on the compliance side, including multiple business units and subsidiaries – which can mean disconnected systems that have to be integrated – and how many contracts (literally thousands) they have to amend with processors or service providers.
2. Not everyone knows what personal data is.
3. Not everyone knows where their data is.
The biggest insight I think companies found is that during GDPR exercises, they did not know where all the data was. So, they should learn this time around that it is going to be a difficult process centralizing where data is held, and they need to start preparing far in advance. Starting early, knowing where data is, and knowing where contracts are housed are the best pieces of advice I can give.
What are the top three hurdles that companies could face if they aren’t prepared?
1. You might not understand if CCPA applies to you – its reach is slightly broader than one might think. CCPA applies to for-profit entities that collect consumer personal information, do business in California, and meet any one of three criteria: gross revenue greater than $25 million; data transfers of 50,000 consumers, households, or devices; and sizable data brokers.
2. You may not realize that you are actually “doing business in California” – for example, maintaining mailing lists that include California residents, collecting online user information, and/or shipping goods into California.
3. You may fail to understand that the definition of personal information is broad, and that you are in fact processing personal information under the law, which is defined as information that “identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”
In your opinion, what may be the biggest repercussions for those firms that aren’t prepared?
Carlyn: The three biggest issues will most likely be:
2. Bad press and loss of consumer trust in a company or brand
3. Difficulty working with service providers — not all service providers are cooperating or quick to respond, as they don’t understand CCPA requirements or are still reeling from GDPR efforts.
Also, just the cost of bringing the organization into compliance can be quite high. Companies need to bring on more help, which can affect Legal and Compliance department budgets, and will most likely stretch in-house counsel thin.
What do companies need to think about now to help get prepared for CCPA? Is there still time?
Dina: Yes, there is always time. Compliance is an ongoing process.
Organizations should think about priority issues, such as having an effective incident response plan that includes reporting and escalation procedures, ensuring that any third parties processing data are aware of their CCPA obligations, keeping an eye on legislative and enforcement developments, and keeping records of compliance.
Carlyn: There’s still time, in that most companies probably won’t fully be ready even by the deadline, in my experience, and enforcement for CCPA begins on July 1. They might be on the compliance side, but maybe not as much on the contracts side, where there may be thousands of contracts to amend. Likely they’re going to need to bring on more help if their in-house staff can’t handle it.
There’s also still time in the sense that there continue to be drafts and clarifications of the CCPA law coming out, so some companies might take the position that they don’t know what to comply with yet, because it’s not finalized.
For a checklist to help your business prepare for compliance with CCPA, download our free CCPA preparation checklist. If you need extra help getting ready for CCPA or other regulations, get in touch with us at Axiom.
Axiom lawyer Dina Maxwell has built a career around an interest in privacy legislation, data governance, and data access.
Lawyer Angelo Basu examines the business impact of privacy regulations like GDPR and CCPA.
Axiom lawyer Sue Gomez draws from extensive experience in Silicon Valley to outline the nuances of building a privacy function.