Documenting CCPA Compliance
The California Consumer Privacy Act (CCPA) permits the Attorney General (AG) to begin enforcement six months after publication of the final regulations or July 1, 2020, whichever is sooner. The July 1st date won that statutory race. The California Attorney General (AG) issued a consumer alert on June 30, 2020 reminding consumers of their data privacy rights under the California Consumer Privacy Act (CCPA). The AG also reiterated in the alert that his “office is committed to enforcing the law starting July 1.” Unconfirmed reports have begun to appear online that several companies have already received notices of noncompliance from the AG.
Businesses subject to the CCPA should, if they have not already, begin thinking about and preparing for how they would respond to a notice of noncompliance from the AG. The proposed final regulations prescribe certain record-keeping requirements that will, if they remain in the final regulations, need to be incorporated into your business’s CCPA compliance program. These same requirements may also prove helpful in documenting your business’s compliance with the CCPA to the AG.
The proposed final regulations permit records of consumer requests made pursuant to the CCPA and how the business responded to these requests (collectively, CCPA Records) to be maintained in a ticket or log format, provided the ticket or log includes the following information for each consumer request:
- Date of request;
- Nature of request;
- Manner in which request was made;
- Date of business’s response;
- Nature of business’s response; and
- Basis for denial of request if request was denied in whole or in part.
The ticket or log format is an option. Covered businesses may elect to maintain CCPA Records in other formats.
Purpose and Use Limitations
The CCPA prescribes certain purpose and use limitations on personal information (PI). Covered businesses may use PI collected from a consumer in connection with the business’s verification of that consumer only for the purposes of verification. The CCPA also prohibits a business from using PI collected from a consumer in connection with the consumer’s submission of an opt-out request for any purposes other than for complying with that request. The proposed regulations also prescribe the following purpose and use limitations:
- Internal Use Information maintained for record-keeping purposes may not be used for any other purpose, except as reasonably necessary for a business to review and modify its processes for compliance with the CCPA and the final regulations. A business’s maintenance of any information required under the regulation’s record-keeping provisions does not violate the CCPA, provided the information is not used for any other purpose.
- Third Party Sharing: Information maintained for record-keeping purposes may not be shared with any third party, except as necessary to comply with a legal obligation.
The Statement of Reasons (SOR) published by the Office of the AG on July 1, 2020, which addresses the comments received by the OAG during the formal rule-making process and provides insight on certain positions taken by the OAG in the proposed final regulations, notes that these “limitations are necessary to clarify allowable uses for the information and to ensure that businesses do not sell the information or interpret uses ‘reasonably necessary for the business to review and modify its processes for compliance’ in an overly broad manner that would be inconsistent with the purposes of the CCPA.”
Reasonable Security Procedures
The proposed final regulations require business to implement and maintain “reasonable security procedures and practices” in maintaining CCPA Records. The regulations do not provide additional guidance on what would be considered “reasonable security procedures and practices.” However, the SOR notes that such procedures and practices “will help protect any personal information that may be included in these records from data breaches or other security risks.”
Record Retention Requirements
The CCPA specifically provides that businesses are not required to retain PI (1) collected for a single one-time transaction, if such information is not sold or retained by the business, or (2) for longer than it would otherwise retain such information in the ordinary course of business. The proposed final regulations do not focus on the retention of PI. Instead, the regulations require businesses to maintain CCPA Records for at least 24 months. The regulations also note that PI need not be retained solely for the purpose of fulfilling a consumer request made under the CCPA, except as required to comply with the regulation’s record retention requirements.
The “as yet to be determined” effective date of the CCPA regulations does not change the two most important dates under the CCPA, the January 1, 2020 effective date and the July 1, 2020 enforcement date. Since the AG is now enforcing the CCPA, covered businesses need to (1) ensure their privacy notices address consumer rights under the CCPA, (2) if they sell PI, ensure they are providing consumers with the right to opt out of the sale of their PI, (3) implement processes and procedures to timely comply with the CCPA’s consumer data access and deletion requests, including ensuring consumers may submit rights requests though the business’s website, (4) ensure contracts are in place with their service providers, (5) ensure that impacted employees receive training; and (6) address other applicable CCPA requirements.
Businesses also need to ensure they can document their CCPA compliance program. This includes retaining records of consumer rights requests and the business’s timely responses to those requests. If your business receives a notice of noncompliance from the AG, this “paper trail” will come in handy. A notice of noncompliance is an invitation for your business to “show and tell,” i.e., to prove to the AG that your business has been in compliance with the CCPA since January 1, 2020. Is your business ready to RSVP to this invitation?