Creating a CCPA Compliance Program: Where to Start

Creating a CCPA Compliance Program: Where to Start

This post is the third article in series recapping Logikcull’s recent webinar on the California Consumer Privacy Act, with Emily Yu, Privacy, Policy and Compliance Director at Roblox, Eric Goldman, Professor of Law at Santa Clara University School of Law, and Christian Auty, Counsel at Bryan Cave Leighton Paisner.

In the excerpt below, our panel discusses strategies for complying with the CCPA, key provisions of which to be aware, and outstanding questions regarding the CCPA’s implementation. You can also read the first post in the series, offering a brief introduction to the CCPA, here and the second, on differences between the CCPA and GDPR, here.

Creating a CCPA Compliance Program: Where to Start

Logikcull: Many people here are looking at the compliance challenges that CCPA creates. Where do we actually start when we are building out a compliance program? Emily, why don't you walk us through the process of building your compliance regime.

Emily Yu: Sure. One of the first things is to actually determine whether or not your business is in scope. You'll want to go through the elements that Eric had mentioned earlier to figure out will CCPA cover your business? Are you outside of it? Then from there, you'll probably find out that, let's say, you do, in fact, need to comply with CCPA.

You'll want to try and get some form of executive buy-in. I suggest this because you're going to need to reach out to a variety of different stakeholders throughout the org as you're attempting compliance for CCPA. To have that executive buy-in is going to save you a lot of time and headache in the long run.

Then the next thing would be probably to go through and work through basically data discovery or identification or data mapping, data inventory.

That particular step is going to take a bit of time. You'll want to identify what personal information you collect about the consumers in California, what you're using that information for, essentially going through the entire data lifecycle, and then really focusing in on who you share that information out to, in particular with third parties such as vendors, or as the CCPA calls it "service providers," and then other types of third parties. That's going to be really, really useful information as you're preparing your data subject request mechanism essentially. You'll need to figure all of that out, including data retention and destruction, and all of that, the entire lifecycle.

Determining Your CCPA Risk Tolerance

Yu: As you're doing that, I would also recommend to focus in on the risks to your company as well as what your company's risk appetite is. Because for some companies, they might not be really collecting a lot of information from consumers. Others, obviously, may be collecting a ton of information. You really need to figure out what the risk appetite is of the business and that'll help you determine what to prioritize when you're doing the compliance work, and it will also help with driving major decisions and selling this particular compliance program to your stakeholders.

Preparing for DSARs

Yu: In terms of preparing for a data subject requests, I just want to provide first some of the basics about data subject requests for CCPA. These will begin January 1st, 2020, essentially. You'll have about 45 days from the receipt of the request to fulfill it and that fulfillment within 45 days can be "reasonably" extended another 45 days as long as you provide notice to the consumer that that's what you're going to need to do.

The fulfillment must also be free of charge, and it must cover the last 12 months, essentially what they call the lookback period of that person and how you processed and shared their data. You're going to have to set up, also, an intake method, at least two or more currently, although I know there's an amendment out there, whether or not it passes is kind of up in the air currently, but at minimum, they have the toll-free number that's in the statute. Then if you have a website, then a website address or address.

You'll also need to train your employees that are the frontline who accept those intakes to handle the CCPA requests. They're going to need to be aware of what the California Consumer Privacy Act is and what the responsibilities are and how to handle personal information in a very secure and private way. That's going to be something that you're going to need to also add in, in terms of your timeline or roadmap for compliance.

The DSAR Verification Process Under the CCPA

Yu: Now, one of the things they talk about, too, is verifiable consumer requests. That is how you establish how to verify a consumer to ensure you've identified that consumer appropriately and that it's not someone else trying to get the personal information. In theory, we're supposed to receive guidance from the attorney general's office, but we don't know when that will be.

Determining the type of verification process will probably, again, be based on your risk appetite and the type of information that you're collecting. As an example, would verifying the email address on record with the person emailing in be sufficient? Again, it all depends on what your business does and collects and all of that.

There are also a lot of third-party verification services out there, so then you may need to consider the implementation process in addition, you'll have to add that into your roadmap or timeline.

Also, just to note with the verifiable consumer requests, you can't require the consumers make an account on your website for you to be able to fulfill that request. Just keep those things in mind.

CCPA Access Requests and Disclosure

Yu: In terms of the types of requests you'll receive, one of the most common ones will probably be access requests. Again, you're going to need to provide that to them in some type of report or document. You can send that either via mail or electronic, and if it's electronic, it has to be readily usable, so they may have to take it to another third party if they want to switch providers. That's something that you have to keep in mind.

The information you provide will have to have the categories of personal information that you sell to the categories of third parties that you sell it to and the categories of personal information disclosed to the categories of the third parties that you disclose it to. You're going to have to have two separate lists for that. That way consumers are aware of the difference.

There are quite a few things that need to be included in the disclosure. The five major ones are just categories of personal information you've collected, and where it came from, the commercial purpose or your business purpose for collecting it or selling it, and the third parties, the categories of those third parties who you share that information with, and, finally, the specific pieces of the actual personal information you've collected about that consumer. In terms of selling to a third party, you do need to provide some type of opt-out on your website, like a link. That's going to be for the majority of adults. Obviously, for children, as Eric had mentioned, you will need consent to opt in. For adults, you're going to have to have a link that provides information to them about that and provides them the ability to opt out.

The Right to Erasure Under the CCPA

Yu: Now, the right to erasure. I'm not going to go through the entire list of exemptions here, but one thing I do somewhat appreciate about CCPA, unlike GDPR, is that there are these carveouts with regard to the right to erasure, where you don't have to erase the information if it happens to fall into one of these categories.

That helps a great deal, especially when you're dealing with security breach or investigation, debugging or repairing a system or legal obligations or even for transaction completion. Again, this is why it’s really helpful to do a data inventory and learning why you collect the information you do and how you're using it. This can help you prevent accidentally erasing some information you're going to need further on down the line that may fall into one of these exclusions.

Finally, for data subject requests and discovery issues, basically in the statute it says that erasure doesn't apply where compliance by the business would violate any evidentiary privilege under California law. It shouldn't prevent a business from providing personal information to a person who happens to be covered by an evidentiary privilege. That would then, I assume, be an attorney, if you have attorney-client relationship or something to that effect.

In terms of discovery issues, I've seen personally in the past where GDPR could be used by a former employee as an alternative or supplement to discovery because you're going to have to provide them all this information for a right to access request in addition to discovery requests. But, hopefully, we're not going to see too many of these kinds of tactics go on with discovery and the CCPA. I didn't know if anybody else had any thoughts on that. If not, I'm going to turn it back over to Casey and Christian.

Updating Privacy Policies for the CCPA

Logikcull: Great! Thank you, Emily. This is an actual screenshot of my email inbox in May, 2018, when the GDPR went into effect.

Christian, when it comes to updating privacy policies, is this something we're going to see for the CCPA? What do people actually need to do to make sure that their privacy policy complies with the notice requirements of the law?

Christian Auty:
There's going to have to be some changes in all likelihood to the privacy policy, in particular, because there is arguably a requirement to disclose what you're collecting, to whom, whether it was service providers, whether you're selling the data along the lines of or according to the enumerated categories that are outlined in the law. It won't be enough to just sort of generally state, "We sell data or we send your personal information to service providers." You've got to go line by line, at least arguably, through the enumerated categories and say, "Yes, no, yes, no, yes, no." That's going to be a change.

Obviously, if you've got something in place for responding to DSARs under GDPR, your process likely will not change too much. I say likely will not change too much because we don't how a verifiable consumer request is going to be defined yet because that's going to come from the attorney general. But if you were just starting at this or looking at this anew in the United States, you're going to also have to obviously disclose the fact that these rights are out there without conceding that they're actually applicable in specific instances. What I'm thinking of here is, for example, there are several exemptions to CCPA that we haven't really talked about yet. There's an exemption for the Graham-Leach-Bliley Act, so consumer data for banking or insurers, things of that nature. There's an exemption for protected health information, and in those cases, arguably, these data subject action requests would not apply in addition to the evidentiary restriction that Emily mentioned. You're going to have to describe these right, but you're going to have to do so in a way that doesn't concede that the rights are valid in all cases. Those are a couple of the main changes to the privacy policy.

Who Counts as a Service Provider Under the CCPA?

Logikcull: Excellent. Thank you, Christian. Let's go ahead and start talking about the definition of service provider and who counts as one.

Auty: Sure. The definition of a service provider—I call it a poor man's Article 28. In section 140(v), there are three, arguably four elements to what a service provider is. First of all, it's a written contract. This is very much like Article 28. Second of all, there's a use restriction. How far that use restriction goes and what that use restriction means remains to be seen, but essentially the idea is that the business is transferring the personal data to the service provider to a specific use as described in the agreement and not more.

There are also disclosure and retention restrictions that need to be built into the written contract so you're not supposed to disclose it to third parties, theoretically, unless that's contemplated under the agreement.

The service provider is restricted from disclosing personal information for purposes other than under the agreement and the service provider is restricted from retaining personal information other than for the purposes set forth in the contract.

This is at a 10,000-foot level. This feels a lot like how controllers treat processors: “Follow my written instructions, don't appoint sub-processors unless you provide me with notice first, etc.” There are two reasons why this is so valuable… and there may be more. But at least two reasons why this is so valuable is, one, that the transfer of personal information to a service provider under these circumstances, this is going to meet a couple of other requirements that need not detain us here. It does not count as a sale and it does not have to be disclosed as a sale. Therefore, if all of your transfers were to service providers, you would not have to put in that opt out, put in that "do not sell my data" button and have that opt out process.

The other reason is that there is a liability shield under 1798.145(h) for service provider conduct after you've made the transfer if you don't know they're going to do something that violates the act. If a business transfers data to a service provider—I'm paraphrasing here—and then the service provider does something bad without the business' knowledge and it wasn't contemplated in the agreement, arguably there's a liability shield there under 1798.145(h). That's why this is valuable.

I think what will end up happening is it'll be like contracting with controllers and processors back in 2018. There'll be a flurry of paper and people will go back and forth as to what these requirements are. Ultimately, agreements will get amended to the extent that they don't have these requirements in them already.

The Definition of “Sale” Under CCPA

Logikcull: Great, thanks. Christian, you touched on this a little bit already, but walk us through determining what actually counts as a "sale" under the CCPA.

Auty: A sale is… I mean, it's almost anything. The takeaway that you have about sales from this webinar is sale does not mean sale in any sort of normal colloquial sense that we actually use it. Sale means selling, renting, leasing, disclosing, disseminating, making available, transferring, or otherwise communicating, orally or in writing, personal information.

Then, here's the big hook. For monetary or other valuable consideration, it's very broad. It's not just monetary consideration. It's other valuable consideration. If you give personal information to somebody who's performing some other service for you and they're performing that service in relation to that transfer, that could be a sale.

That's why you're looking at exceptions. Instead of saying, "This just isn't a sale. This just isn't a sale," you're looking at can these people, this vendor, and this counterparty be a service provider? Can we make the argument that the consumer is using or directing the business to intentionally disclose the personal information or using the business to intentionally interact with the third party? Because that, too, is an exception to the sale of personal information. Those are the two big ones.

The takeaway is sale is really broad, but there are some exceptions that could be useful here and it just depends on the data flow, and it depends on the interaction with the consumer as to whether those apply.

Outstanding Issues With the CCPA

Logikcull: Great. Thanks for walking us through that, Christian. We're getting towards the end of today's presentation. We're going to probably run a few minutes over, so don't worry if you have a question that we haven't gotten to yet, but we have just a few months before this law comes into effect on January 1st, 2020. As we've seen, there are tons of ambiguities and outstanding questions that remain. I want to just take a moment to get a sense of the panelists' most impressing or important questions regarding the CCPA, the issues that keep you up at night. Emily, you work for a platform that has, I think, millions of users and a lot of personal information, what is it about the CCPA that you are most concerned about that is not yet an answered question?

Yu: Honestly, it's just even the very definition of what the terms that are used within the CCPA. Because even when defining personal information, they include consumer or household as part of their definition without actually defining the term household. It's just stuff like that that makes it very difficult to operationalize and know that you're fully compliant because it's so broad that you become unsure as to what might constitute personal information versus what doesn't. As Chris had suggested, you basically have to look at what the exclusions or exceptions are for a lot of these requirements instead of actually looking at the actual definition. That's one of the things that does keep me up at night, just making sure that when we're compliant that we actually are fully aware of what the scope of a lot of these definitions includes.

Logikcull: Great. Christian, what about you, as someone advising companies around this issue?

I think one of the big unanswered questions here is what exactly will be the enforcement philosophy of the California AG come July 1st? Much of this, as Eric mentioned, almost all of this law can be enforced by the AG only, at least right now. What approach are they going to take? Are they going to take a punitive approach? Are they going to take a collaborative approach? There's this concept of a cure period. How are they going to use that? Who are they going to go after first?

What we've seen with GDPR with some of the larger supervisory authorities, France, England, the Irish DPA, and to a certain extent the German DPA, we've seen them go after big guys right away, Facebook, Google, etc. Is that same approach going to be taken in California or are they going to take an approach like, for example, what the SEC has sort of done with initial coin offerings and with cryptocurrencies, which is go after smaller entities first, maybe make some good law and then go after larger entities?

Just what is going to be the philosophy? How are they going to approach it because I'm sure they're going to be inundated with complaints, so it remains to be seen.

Logikcull: Eric, what about you? What is foremost in your mind in terms of the ambiguities around this law?

Eric Goldman: One of the points Christian mentioned needs to be underscored. With the GDPR, most companies compliant with GDPR are used to playing ball with the DPAs. There's give and take, a back and forth, and the DPAs don't necessarily think enforcement first. They think, "We want people to do the right thing." There's a lot of trust and compromise that's built into the GDPR.

The AG's office has never done that before and they may not be philosophically constituted as a DPA. They might think of themselves as an enforcement shop, so instead of playing ball with the regulated industries, they may think, "We're going to go crack skulls. That's our job. That's what we've been best at for 100+ years."

Going to Christian's distinction between the GDPR and the CCPA, I would point out how much trust is built into the system with the DPAs that are in action with regulated businesses and how in the U.S. we're not sure that's going to be the case.

Just quickly two other things I'll mention. I am very interested in this verifiable consumer request, what the legal stems are. Because depending what the AG says they think is going to be required, we might all have a lot of extra compliance work and we're going to get that soon. But the law starts on January 1 at that point. There may be a very short turnaround time.

Then the last thing—and this may be part of another question you've got coming, but I think it's a great point here. Everything that we just discussed was only thinking about California law. If this law is cloned and revised, on the one hand, that's good news. The revisions might improve the law. On the other hand, each new revision to the law is going to exponentially multiply the number of ambiguities that you have to work with. You've all these ambiguities in California and then you've got different ambiguities in State B and in State C. I just see this mushroom cloud of ambiguities. It's going to grow exponentially as this law is cloned and revised.

Watch the entire webinar on preparing for the California Consumer Privacy Act. And if you’d like to see how Logikcull can fit into your CCPA and GDPR compliance programs, create a free Logikcull account today.

Want to see Logikcull in action? 

Let us show you how to make Logikcull can help you save thousands in discovery.

Want to see Logikcull in action? Let's chat.

Our team of product specialists will show you how to make Logikcull work for your specific needs and help you save thousands in records requests, subpoenas, and general discovery.