The world has markedly changed since the California Consumer Privacy Act (CCPA) became effective on January 1, 2020. Under shelter-in-place orders and even amid gradual reopenings, many states have required businesses to slow or stop production as the country and world adjust to a new normal in light of COVID-19.
But the California Attorney General’s (AG) Office remains determined to begin CCPA enforcement on July 1, even though the draft regulations may not yet be final.
With July 1 just around the corner and companies dealing with a new slate of COVID-19-related privacy issues, now is an ideal time to focus or refocus on CCPA compliance.
Your CCPA Summer To-Do List
- Consider COVID-19: Your company may be collecting new data from employees and customers in response to COVID-19, but did you know that collecting health or other personal information may impact your CCPA obligations?
- Inventory Collection and Add Just in Time Notices: Do you know all the places personal information is collected (e.g., apps, surveys, sweepstakes, chat bots, et cetera)? Do you have a notice at each collection point?
- Analyze the Impact to Other Parts of the Business: CCPA obligations don’t begin and end with your website. Consider how your company’s compliance with the CCPA affects other aspects of the organization, like document retention policies and procurement.
- Do a Tabletop Exercise
- Access to Specific Pieces of Information: What would a report from your company look like? Are you comfortable with that report appearing in the press? Do you even need all of that data? Now would be a great time to inventory and determine whether some data hygiene is in order.
- Authenticating Consumers: Test the user experience. How is it working? Does your authentication process align with the regulatory framework set by the CCPA?
Remember, the current CCPA regulations still aren’t final. Even companies that believe they are currently fully compliant will have to review the final version to be sure.
In addition, it appears that the California Privacy Rights Act (CPRA) ballot initiative will likely make it to the ballot this November, meaning further changes to California’s privacy laws are possible. If the CPRA provisions were enacted, they would go into effect on January 1, 2023, with enforcement beginning July 1, 2023. With some working aggressively to institute new data privacy obligations, covered businesses would do well to keep their eye on elections and their compliance programs and strategies, flexible.