CCPA deadline looms: Three critical areas to prioritize by Jan. 1
With the effective date of the California Consumer Privacy Act (CCPA) just weeks away, covered businesses are scrambling to meet the law’s wide-ranging requirements. These efforts are hampered by confusion around the CCPA and the recently proposed Attorney General implementing regulations. Nevertheless, businesses are still required to comply by the Jan. 1, 2020, deadline.
Despite this challenging environment, we focus here on three key obligations that all covered businesses should prioritize and endeavor to address prior to Jan. 1:
Reasonable security. Beginning on Jan. 1, California consumers, including employees, will be permitted to bring lawsuits – including class actions – against covered businesses following a security breach. Because the CCPA allows statutory damages of $100 to $750 per consumer, per incident, or actual damages, whichever is greater, we expect that even relatively small data breach events will result in litigation. The CCPA requires successful plaintiffs to demonstrate that the business violated its duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information at issue. To effectively defend against such allegations, businesses should ensure that they can demonstrate reasonable security procedures on Jan. 1.
Consumer-facing notices. The CCPA contains strict requirements about disclosures that must be made to consumers – including employees, prospective employees, and independent contractors – concerning the business’s collection and use of personal information, consumer rights under the CCPA, and how those rights can be exercised. Businesses will need to ensure that their websites, privacy policies, and other relevant materials provide all required disclosures by Jan. 1.
Fulfillment of consumer requests. As of Jan. 1, California consumers will be empowered to ask businesses to provide disclosures about the personal information the business has collected about them and what they’re doing with it. Consumers also will have rights to access, obtain copies of, and delete personal information, and the CCPA contains strict deadlines concerning when businesses must respond to and fulfill consumer requests. Businesses should expect to begin receiving consumer requests on Jan. 1. Accordingly, businesses must have processes in place by that date to receive, verify, and appropriately respond to consumer requests within the mandated time frame.
Even in the face of continued uncertainty concerning all of its nuances, the CCPA’s Jan. 1, 2020, effective date is fast approaching. To protect against serious litigation and regulatory risks, businesses should utilize best efforts to prioritize their implementation of reasonable security procedures, completion of required consumer notices, and establishment of procedures to intake and fulfill consumer requests by Jan. 1.
InsightBest Bites: December GovCon Lunch & Learn on CMMC, other security rulesBhavesh VadhaniCohnReznick’s December 2019 GovCon Lunch & Learn presented perspectives on DOD’s new Cybersecurity Maturity Model Certification. Click to learn more
Insight6 internal audit areas of focus for 2020George GallingerIn 2020, set resolutions to prioritize internal audit, build out your business plans, and support your long-term objectives. Click to get started.