CCPA Compliance Program
California’s landmark privacy law goes into effect on January 1. While the contours of the law are still being shaped by the attorney general, we are helping our clients with a customizable ten-step program. Because compliance could require efforts from throughout the business enterprise, we’ve set up a “Parallel Path” program, designed for all business units to implement compliance requirements at the same time, setting you on a rapid road to compliance.
1. Determine if the law applies to your business - Applicability depends upon the size of your company, the type and amount of data that you collect and your industry.
2. Update your policies – We will want to review and perhaps update your privacy notice to comply with the CCPA, but there are a rash of other policies that we will need to review and update, including those supporting the IT, HR and legal departments.
3. Organize your data – The preeminent first step is to clearly identify the data that you collect, store, sell and share. We will also develop a keen understanding how data is handled by your contractors, suppliers and service providers.
4. Prepare for CCPA Requests – The law has pretty aggressive response deadlines and no one should be responding to CCPA requests on the fly. We get ahead of the issue by setting up a seamless process for CCPA requests.
5. Develop response plans – Once the requests come in, you’ll want to respond quickly and clearly. Every stakeholder in your company should be prepared to respond and, someone should absolutely own the process, to ensure that everyone is keeping up.
6. Review Incentive/loyalty programs - If you offer something in exchange for data, whether it’s discounts or other incentives, we will need to develop and document a compliant, credible and defensible policy to justify the program.
7. Train your workforce – Any process can come to a screeching halt if employees are unprepared. And with the limited timeline to respond, you’ll want to make sure that your employees know how to respond, escalate or coordinate with colleagues.
8. Monitor your responses – Not only do the regulations proposed by the attorney general require businesses to keep a record of CCPA requests for 24 months, comprehensive records of responses to the CCPA ought to be a necessary part of your risk program.
9. Document exceptions – The CCPA offers numerous exceptions that some companies will rely upon in avoiding the strict dictates of the law. Regardless of which exception you rely upon you’ll want to make sure that your action is recorded and monitored.
10. Prepare for litigation – You can start mitigating potential damages and fines by implementing and maintaining reasonable security standards – We initiate that process with a comprehensive response plan and a suite of risk management services.