Editor’s Note: This post was originally published in April 2019 by www.law.com
The California Consumer Privacy Act (CCPA) hits in less than a year, but its broad definitions and lack of precedent have left many impacted in-house counsel stumped on compliance efforts.
Data privacy professionals teamed up to provide their CCPA compliance advice at a recent webinar on adapting compliance strategies from the European Union’s General Data Protection Regulation to fit California’s law.
Jerrod Bailey, the chief strategy officer of blockchain company Truyo, and Dominique Shelton Leipzig, the co-chair of Perkins Coie’s ad tech privacy and data management practice, discussed some of the CCPA’s confusing points and how in-house counsel can get their company ready. Here are five takeaways:
- Keep track of requests in one place. CCPA-impacted companies can expect a flood of data subject requests in 2020, Leipzig said. Companies hit by GDPR have already seen “thousands” of data subject requests, she said, so legal departments should “keep a centralized area for responding to consumer requests.” If requests aren’t stored and handled in a centralized location, it’s more likely they’ll be lost or forgotten, possibly leaving companies open to legal liability. She said U.S. companies are operating in a more established culture of class actions than European counterparts and could see suits once CCPA is effective.
- Have a ‘do not sell’ button. This is required by CCPA and it’s an obligation even GDPR-impacted companies haven’t faced before. All companies impacted by CCPA must place a “clear and conspicuous” link button titled “Do Not Sell My Personal Information” on its online homepage. Bailey said companies with apps should also consider whether they’ll include the button in their app; at the moment, he said the law isn’t clear whether this is required. He added companies may respond to these requests using a mix of automation and manual work.
- Data’s ‘sale’ is complicated. Companies may not swap data for cash, but under CCPA the definition of sale is “very broad,” Leipzig said, and includes “any transfer of personal information of California residents for which there is valuable consideration” even if no money is exchanged. She offered this example: retailers exchanging email lists for a joint promotion campaign because it will enable more sales and higher profit in the future.
- Keep California separate? The ‘do not sell’ button is only required for California residents, but Bailey said many companies plan to offer it to all U.S. users. ”Will I selectively display this link? Am I going to show it to everyone who comes to my website?” Bailey said. “Or am I going to somehow try to fence off California citizens and only show them the link? … For this particular use case, it’s a hard thing to do.”
- Verify users’ identity. If companies do choose to keep California residents separate, they’ll need to identify which consumers are from the state, the privacy professionals said, and that can get complicated. Leipzig advised against collecting data such as uploaded driver’s license photos; it just adds to the data a company needs to protect. At a minimum, Bailey said websites should include CAPTCHA tests and emailed verification to prevent bots from spamming ‘do not sell’ links.