California’s new consumer privacy act, CCPA, goes live on January 1, 2020, but many companies are still scrambling to prepare. According to a benchmarking survey by OneTrust, as of August 2019, only 2% of companies considered themselves CCPA compliant. In addition, 13% of the companies they surveyed do not plan to be in compliance when enforcement of the law begins on July 1, 2020, or have no plan at all for CCPA.
The risks for non-compliance with CCPA are large. They include not only fines, including up to $7,500 per intentional violation, but also reputational risk and breaking consumer trust. Preparing for CCPA requires an expert understanding of the law’s complexities, legal department bandwidth, leadership buy-in, and employee training. While your company’s plan for CCPA compliance will vary depending on your business revenue structure, industry, and tolerance for risk, there are concrete steps that you can take to ensure you are on the path to setting up and maintaining compliance.
Axiom’s lawyers have worked on over 450 data privacy engagements in 2018 and 2019 alone, including helping companies comply with GDPR and CCPA. Based on this experience, we’ve found that there are four broad phases companies follow in implementing policies for new data privacy laws: current state analysis, gap assessment and recommendation, implementation, and analysis and evolution.
The checklist below breaks down these phases into actionable steps. As your company prepares for CCPA, use it to guide your compliance process, and download a copy to keep on hand.
- Current state analysis
- Project mapping
- Interview internal privacy stakeholders, including CCO, CRO, CPO
- Create organizational privacy vision
- Structure privacy team, including members from both legal and operational departments
- Review policies and customer communications
- Review existing privacy policies, customer communications, and privacy notices to identify needed updates
- Identify outstanding policies
- Map and inventory data
- Document all privacy-related information repositories and data life cycle
- Review systems and agreements with third parties who have data access
- Gap assessment and recommendation
- Document gaps in policies, procedures, third-party data sharing agreements, training, privacy notices, and customer communications
- Create recommendation to close gaps
- Present recommendation to senior stakeholders
- Include proposed implementation plan and timeline
- Implementation
- Remedy gaps
- Address deficiencies in policies, training, and procedures such as DPIAs and DSARs
- Implement “privacy by design” and “privacy by default” in all products and offerings
- Update contracts as needed
- Repaper third-party contracts, including data processing agreements
- Train and communicate
- Draft an enterprise-wide communication plan to keep relevant parties updated on company readiness and response
- Develop training plans customized for each department
- Measure, maintain, and evolve
- Determine key metrics to measure privacy program
- Define what “success” looks like for privacy program
- Determine metrics to assess privacy program and how they will be collected
- Monitor and respond
- Maintain privacy inbox and respond to consumer requests
- Report to compliance regulators
- Iterate program as privacy legislation evolves
- Adjust program as interpretation and enforcement is clarified
- Continue to update as business objectives evolve
You can also download this checklist for easy reference.
Axiom lawyers have helped companies at every stage on this list build, strengthen, and scale their privacy programs. As CCPA approaches, now is the time to begin or accelerate your privacy planning, implementation, and training. If you need expert privacy help and greater capacity to meet the January 1 deadline, Axiom can help you find the right lawyer for your needs.
