CCPA deadline looms: Three critical areas to prioritize by Jan. 1
With the effective date of the California Consumer Privacy Act (CCPA) just weeks away, covered businesses are scrambling to meet the law’s wide-ranging requirements. These efforts are hampered by confusion around the CCPA and the recently proposed Attorney General implementing regulations. Nevertheless, businesses are still required to comply by the Jan. 1, 2020, deadline.
Despite this challenging environment, we focus here on three key obligations that all covered businesses should prioritize and endeavor to address prior to Jan. 1:
Reasonable security. Beginning on Jan. 1, California consumers, including employees, will be permitted to bring lawsuits – including class actions – against covered businesses following a security breach. Because the CCPA allows statutory damages of $100 to $750 per consumer, per incident, or actual damages, whichever is greater, we expect that even relatively small data breach events will result in litigation. The CCPA requires successful plaintiffs to demonstrate that the business violated its duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information at issue. To effectively defend against such allegations, businesses should ensure that they can demonstrate reasonable security procedures on Jan. 1.
Consumer-facing notices. The CCPA contains strict requirements about disclosures that must be made to consumers – including employees, prospective employees, and independent contractors – concerning the business’s collection and use of personal information, consumer rights under the CCPA, and how those rights can be exercised. Businesses will need to ensure that their websites, privacy policies, and other relevant materials provide all required disclosures by Jan. 1.
Fulfillment of consumer requests. As of Jan. 1, California consumers will be empowered to ask businesses to provide disclosures about the personal information the business has collected about them and what they’re doing with it. Consumers also will have rights to access, obtain copies of, and delete personal information, and the CCPA contains strict deadlines concerning when businesses must respond to and fulfill consumer requests. Businesses should expect to begin receiving consumer requests on Jan. 1. Accordingly, businesses must have processes in place by that date to receive, verify, and appropriately respond to consumer requests within the mandated time frame.
Even in the face of continued uncertainty concerning all of its nuances, the CCPA’s Jan. 1, 2020, effective date is fast approaching. To protect against serious litigation and regulatory risks, businesses should utilize best efforts to prioritize their implementation of reasonable security procedures, completion of required consumer notices, and establishment of procedures to intake and fulfill consumer requests by Jan. 1.
InsightREAL ESTATE: How coronavirus will shape the smart workplaces of the futureVincent DermodyIn a post-pandemic world, office building design priorities will need to shift from function to the purpose of the space and the behavior of the people occupying it.
InsightRISK MANAGEMENT: As coronavirus spreads, factor cybersecurity into remote-work policiesShahryar ShaghaghiEfforts to limit coronavirus contagion have upended global commerce and shifted operating models in ways that are intensifying IT risks.