Not concerned about the CCPA? If you receive Personal Information from California businesses, you probably should be.
California’s groundbreaking California Consumer Privacy Act (CCPA) imposes rigorous mandates on entities that collect Personal Information from California consumers. Companies that don’t collect such Personal Information might be tempted to breathe a huge sigh of relief, assuming that they’re off the CCPA hook. That, however, could be a costly mistake.
Businesses that are directly subject to the CCPA are statutorily required to impose certain requirements on companies to which they transfer Personal Information. In order to provide services to CCPA-governed organizations, “service providers” must be able to satisfy those requirements. As the CCPA’s Jan. 1 effective date approaches, those requirements are already being included in service provider contracts and in RFPs. Service providers that cannot satisfy them face serious competitive disadvantages.
The following are crucial CCPA readiness recommendations for service providers:
1. Review data security policies and procedures to ensure that your organization has implemented and continued to maintain reasonable security procedures and practices appropriate to the nature of the Personal Information collected.
2. Map data inventory:
a. Identify the location of any Personal Information you’ve received from your CCPA-covered business partners.
b. Ensure that if Personal Information is being transferred from your company to third parties, it is not being “sold,” as that term is defined in the CCPA.
c. Ensure that Personal Information can be located, shared, and deleted in accordance with retention policies and verified consumer requests.
3. Review and revise downstream contracts (including click-through agreements) to ensure that third parties agree to:
a. Act as “service providers,” as set forth in the CCPA, and
b. Assist with consumer requests.
4. Amend upstream contracts to clarify that your company is a “service provider” by including statutory language set forth in the CCPA.
5. Establish policies and procedures to comply with consumer requests, including:
a. Template responses
b. Technical procedures
Because California is the fifth-largest economy in the world, and each CCPA-covered entity can have multiple service providers, neglecting CCPA readiness is simply not an option for companies doing business on a national scale. Although satisfying CCPA-required mandates may impose certain financial and operational challenges, the news is not all bad: Achieving CCPA readiness can have benefits extending well beyond California. As other proposed state privacy laws follow California’s lead and tilt toward consumer protection, CCPA-ready businesses will be a step ahead on the road to compliance.
InsightNew data privacy laws demand more proactive board oversightToday’s executives have plenty of reasons to worry about business risks. Chief among them is compliance with sweeping new privacy regulations that apply to organizations across industries and geographies.
InsightCCPA deadline looms: Three critical areas to prioritize by Jan. 1With the effective date of the California Consumer Privacy Act (CCPA) just weeks away, covered businesses are scrambling to meet the law’s wide-ranging requirements. These efforts are hampered by confusion around the CCPA and the recently proposed Attorney General implementing regulations. Nevertheless, businesses are still required to comply by the Jan. 1, 2020, deadline.
InsightThe CCPA requires ‘reasonable security.’ What exactly does that mean?Shahryar ShaghaghiOn Jan. 1, 2020, California consumers will wake up to a new era of expansive data privacy rights. Businesses that serve them will more likely greet the new year with compliance headaches induced by the California Consumer Privacy Act of 2018, or CCPA.
Press ReleaseCohnReznick expands Cybersecurity and Privacy Practice; Forms Privacy Advisory GroupCohnReznick LLP, one of the leading advisory, assurance, and tax firms in the United States, announces a strategic expansion of its Cybersecurity and Privacy practice with the establishment of the Privacy Advisory Group.