United States: Eight Week Countdown To CCPA Compliance: 10 Essential Things To Do Now Despite The Uncertainty

Eight Weeks and Counting to the Deadline. The California Consumer Privacy Act (CCPA) becomes effective on Jan. 1, 2020. With the compliance deadline rapidly approaching, the finish line seems farther away than ever. In this article, we provide an overview of key changes in the final CCPA and how the state's attorney general regulations fit into the puzzle. The good news is that businesses can take just a few critical steps now to develop policies and procedures that both comply with the current law and can be adjusted to align with the final regulations that go into effect next year.

There Could Not Be More at Stake. Since the law's inception, businesses have struggled with uncertainty regarding what the law means and how to prepare for compliance—and for good reason. The CCPA's expansive definition of "sale" and the "Do Not Sell My Personal Information" provisions threaten to disrupt targeted advertising and make it more difficult for companies doing business in California to reach and develop commercial relationships with Californians. AdTech companies (many founded and based in California) could be disintermediated if advertisers return to first party ads and away from programmatic advertising given the lack of certainty and industry-supported technical standards for compliance. Even businesses with few or no contacts with California may be subject to the CCPA if they control or are controlled by a company or share common branding with a business operating in the state subject to the CCPA.

Don't Hyperventilate or Give Up! While the California attorney general recently issued draft regulations for the CCPA proposing stricter and more detailed requirements, they are not yet the law. In fact, there is a comment period that ends Dec. 6, 2019, and final regulations are not expected until approximately April 2020 (after yet a second comment period)—four months after the Jan. 1, 2020, effective date. Fenwick will analyze those regulations in a separate alert. Meanwhile, enforcement by the attorney general will begin soon after (no later than July 1, 2020).

10 Essential Measures to Take Now to Prepare for Compliance. With the final amendments passed by the California legislature and signed by the governor, this alert is designed to cut through the noise by (i) summarizing what you need to know about the recent CCPA amendments and (ii) providing 10 practical measures you can take now to prepare for the CCPA on a risk basis and in line with evolving industry practices.

Where the Law Stands Now – The CCPA Amendments and Other New Laws. California recently amended the CCPA and adopted other laws impacting data privacy in several ways:

  • HR data is partially exempt from the CCPA for one year (AB-25). This should be a relief for many exhausted HR managers. However, the exempted information does not get a complete pass because the CCPA's data breach private right of action and privacy notice provisions still apply.
  • Definition of "personal information" under California breach notification law (and CCPA Private Right of Action) expanded to include biometrics and certain government issued IDs (AB-1130). California's breach notification law was amended to cover unique biometric data, facial recognition, tax identification numbers, passport numbers and other forms of government IDs. These types of data are now covered by the CCPA's private right of action for breaches.
  • The private right of action applies to breaches of nonencrypted and nonredacted personal information (AB-1355). The initial version of the CCPA provided a private right of action when "nonencrypted or nonredacted personal information" was disclosed as the result of the business's failure to maintain reasonable security. As a practical measure to limit liability where personal data is either encrypted or redacted (i.e., not both), the law was amended to clarify that the private right of action is not available if the personal information was either encrypted or redacted.
  • CCPA definition of "personal information" was modified to limit impact on data analytics and target marketing.
    • Definition narrowed – requires reasonable association with an individual (AB-1355). Personal information now includes information that is reasonably capable of being associated with, or could reasonably be linked... with a particular consumer or household. The addition of the word "reasonably" excludes information where association with a particular consumer is technically possible but extremely unlikely.
    • Deidentified and aggregated information excluded (AB-874). Personal information does not include deidentified or aggregated information or information lawfully obtained from government records. These changes are a big win for businesses that perform analytics.
    • Impact. These two amendments will benefit data analytics and selected targeted marketing where individual information is pseudonymized (low likelihood of reidentification) versus completely anonymized (incapable of re-association).
  • New expansive data broker registry law (AB-1202). California also enacted a new law requiring "data brokers" to register with the AG annually. A data broker is broadly defined as "a business that knowingly collects and sells to third parties the personal information of a consumer with whom the business does not have a direct relationship." Noncompliance can lead to fines and other penalties. This amendment may expansively impact AdTech and co-promotion efforts (e.g., airline and rental car cross-promotions and other lead-generation arrangements).
  • Responding to data subject requests for access and deletion made more business friendly (AB-1355). In a win for businesses, the CCPA was amended in three ways to make it easier for a business to manage and prevent identity theft: (i) for consumers who maintain an account, the business can require the consumer to make a request through the account, (ii) a business may also require authentication that is reasonable in light of the personal information requested and (iii) to help prevent possible identity theft, businesses are prohibited from providing a requestor their social security and other governmental ID numbers, financial, health and medical account numbers, and password and security information.
  • Nondiscrimination and differential pricing determined based on value to company (AB-1355). The reasonableness of charging a different price or providing a different quality of service is now determined based on the value of the personal information to the business rather than the value of the data to the consumer. Remember, if you use such pricing techniques, they are allowed going forward—under the proposed AG regulations, you just have to show your math (i.e., disclose your approach to valuation in your privacy policy).
  • A toll-free number is no longer required for online-only businesses that have a direct relationship with a consumer (AB1564). Businesses are still required to provide a toll-free number in many cases. Businesses that maintain consumer-facing websites must allow consumers to submit requests via those websites. Many smaller companies not sure how to comply are investigating potential answering machine and service solutions.

10 Essential Measures to Take Now to Prepare for Compliance

Given the complexity of the CCPA requirements, and the relatively short time period between adoption and implementation of the final regulations, businesses should develop policies and procedures that both comply with the law and can be adjusted to align with the final regulations. The CCPA and our recommended action items can generally be distilled down to affecting four key areas: (i) notice and choice, (ii) individual rights, (iii) improving internal processes and service provider oversight, and (iv) being proactive.

Based on our knowledge of industry initiatives and what we have seen others doing in this time of uncertainty, the following represent practical measures you can take now to prepare for the CCPA on a risk basis and in line with evolving industry practices.

Notice and Choice Action Items

  1. Revise your online privacy policy now in view of the CCPA and prepare to do it again when the regulations are final. Some businesses have already updated their privacy notices based on the initial draft of the CCPA. If you have not yet done so, now is the time to prepare the disclosures required under the law for Jan. 1, 2020—nothing else is timed to change before then. Recognize, however, that you will likely need to update the policy again in April or May 2020 to address any new requirements in the final version of the AG's regulations (following the second comment period).
  2. Map out a "Do Not Sell" function. Sale opt-outs require more complex handling than other types of requests and could require notification of downstream vendors under the AG regulations. If your business is selling personal information, you should develop your own manual (e.g., email) techniques for receiving and operationalizing Do Not Sell requests, while looking to leverage industry approaches such as the proposed Internet Advertising Bureau (IAB) CCPA Framework and Digital Advertising Alliance (DAA) Framework. While still developing and gaining support, we have been very active in learning both.
  3. Don't forget to include HR notices! As described above, while there is a one-year respite under the CCPA for various obligations relating to HR and worker personal information, the CCPA still requires businesses to inform employees and applicants about the categories of personal information collected and the purposes for which it will be used. Be comprehensive. Many companies are now developing employee and worker privacy notices.

Individual Rights Action Items

  1. Make sure the price is right.... Flag financial incentives involving consumer information to avoid anti-discrimination claims. Financial incentives are only permitted if the different price or service is reasonably related to the value provided to the business by the consumer's information. Conduct an inventory of your business's financial incentive programs now (including any data-driven dynamic pricing or discount programs, loyalty programs or demos) so you can quickly develop conforming pricing guidelines in view of the final regulations.
  2. Overhaul your consumer/data subject request procedures to provide more detail around authentication and restricted information not allowed to be released. Prioritize making sure your verification/authentication and data access procedures in your consumer/data subject request procedure are secure and adequately disclosed in your privacy policy. This will not only reduce identity theft, but also will streamline the process and minimize burden on your organization in managing and responding to requests. Many organizations concerned about the volume of potential requests they will receive are taking two novel approaches to prepare:
    • (i) Developing a data subject rights "playbook" which contains procedures and templates for confirming receipt of requests, verifying the requests, providing requested information, and fulfilling consumer options and
    • (ii) Conducting data subject request tabletop exercises with the appropriate stakeholders to ensure that the business is ready to address requests on Jan. 1, 2020, and make sure that call centers, support centers, receptionists and chat functions have scripts and know where to direct consumer requests.
    • Consider also tools and other methods to track data subject requests. Upgrade your data management capabilities to meet the serious burdens imposed by the proposed regulations. These regulations specifically state that a ticket or log format can be used to maintain records related to consumer requests. Many companies are customizing Jira or other ticketing systems or considering new tools offered by Transcend, Clarip, Informatica or ones incorporated into larger tools offered by TrustArc, Nymity and OneTrust.
  3. Decide how to support consumer requests, including considering toll-free phone number options. Set up a toll-free phone number if appropriate, and develop a plan for staffing it (i.e., live, messaging service or answering machine). Decide how and where the CCPA-mandated notices will be presented on your website and physical locations.

Improving Internal Processes and Service Provider Oversight Action Items

  1. Update your inventory of third-party data sharing. Understand your data flows to ensure that you have what you need to implement Do Not Sell requests. Many companies are doing a bottoms-up inventory reviewing all interfaces, SDKs and other means to share data with third parties. Make sure you are able to identify the third parties to which you have sold personal information in the past 90 days, so you can notify them if required by the final regulations.
  2. Review your DPAs with respect to data control. Evaluate whether your business is best served by relying on the service provider or other exceptions under the CCPA or allowing further downstream data use by others. If you collect data directly from an individual, review how service providers use your data and update your contracts as appropriate. This step is important, as many vendors who wanted to retain independent data rights, and classified themselves as co-controllers under the GDPR, are rethinking the value and exposure of that position in light of the possibility to have limited liability as a Service Provider under the CCPA (but only be allowed to use data as explicitly specified in a DPA or contract).

"Be Proactive" Action Items

  1. Adopt "reasonable security" (or at least map to CIS20) to prevent a costly data breach and class action. Select an appropriate standard defining reasonable security for your organization, such as the CIS 20 Controls. While most security organizations operate against and use ISO/IEC 27002:2013, NIST Cybersecurity Framework, PCI-DSS or other security framework, many organizations in anticipation of CCPA are now performing gap assessments in view of the selected standard and developing a plan for addressing any deficiencies. At a minimum, many companies are mapping their security controls to the CIS20, a safe harbor defense against from class actions under the CCPA. See Five Steps to Mitigate CCPA Class Action Risk: What Companies Need to Do to Increase Data Security.
  2. Prepare for registering as a data broker. Determine whether your business would be considered a data broker under the law. If so, develop procedures for registering with the AG on an annual basis.

Consider making public comments in response to the regulations. The AG proposed draft regulations are detailed and have many operational and unintentional business impacts. Let the AG know your business's take on the proposed regulations. Any public comments must be submitted by Dec. 6, 2019.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

To print this article, all you need is to be registered on Mondaq.com.

Click to Login as an existing user or Register so you can print this article.

Events from this Firm
11 Dec 2019, Other, Los Angeles, United States

Fenwick counsel Robert Brownstone will be lead chair in this highly interactive colloquium providing a deep understanding and practical advice regarding major e-discovery challenges facing organizations today.

12 Dec 2019, Conference, New Orleans, United States

Robert Brownstone will present on December 12 at 3:15pm on The E-Workplace: Privacy Issues and Cyber Security.

27 Jan 2020, Conference, California, United States

One of the most visible and highly-regarded securities and corporate law conferences in the country, the Securities Regulation Institute reaches prominent attorneys from both firm and in-house practices.

Similar Articles
Relevancy Powered by MondaqAI
In association with
Related Topics
Similar Articles
Relevancy Powered by MondaqAI
Related Articles
Related Video
Up-coming Events Search
Font Size:
Mondaq on Twitter
Mondaq Free Registration
Gain access to Mondaq global archive of over 375,000 articles covering 200 countries with a personalised News Alert and automatic login on this device.
Mondaq News Alert (some suggested topics and region)
Select Topics
Registration (please scroll down to set your data preferences)

Mondaq Ltd requires you to register and provide information that personally identifies you, including your content preferences, for three primary purposes (full details of Mondaq’s use of your personal data can be found in our Privacy and Cookies Notice):

  • To allow you to personalize the Mondaq websites you are visiting to show content ("Content") relevant to your interests.
  • To enable features such as password reminder, news alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our content providers ("Contributors") who contribute Content for free for your use.

Mondaq hopes that our registered users will support us in maintaining our free to view business model by consenting to our use of your personal data as described below.

Mondaq has a "free to view" business model. Our services are paid for by Contributors in exchange for Mondaq providing them with access to information about who accesses their content. Once personal data is transferred to our Contributors they become a data controller of this personal data. They use it to measure the response that their articles are receiving, as a form of market research. They may also use it to provide Mondaq users with information about their products and services.

Details of each Contributor to which your personal data will be transferred is clearly stated within the Content that you access. For full details of how this Contributor will use your personal data, you should review the Contributor’s own Privacy Notice.

Please indicate your preference below:

Yes, I am happy to support Mondaq in maintaining its free to view business model by agreeing to allow Mondaq to share my personal data with Contributors whose Content I access
No, I do not want Mondaq to share my personal data with Contributors

Also please let us know whether you are happy to receive communications promoting products and services offered by Mondaq:

Yes, I am happy to received promotional communications from Mondaq
No, please do not send me promotional communications from Mondaq
Terms & Conditions

Mondaq.com (the Website) is owned and managed by Mondaq Ltd (Mondaq). Mondaq grants you a non-exclusive, revocable licence to access the Website and associated services, such as the Mondaq News Alerts (Services), subject to and in consideration of your compliance with the following terms and conditions of use (Terms). Your use of the Website and/or Services constitutes your agreement to the Terms. Mondaq may terminate your use of the Website and Services if you are in breach of these Terms or if Mondaq decides to terminate the licence granted hereunder for any reason whatsoever.

Use of www.mondaq.com

To Use Mondaq.com you must be: eighteen (18) years old or over; legally capable of entering into binding contracts; and not in any way prohibited by the applicable law to enter into these Terms in the jurisdiction which you are currently located.

You may use the Website as an unregistered user, however, you are required to register as a user if you wish to read the full text of the Content or to receive the Services.

You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these Terms or with the prior written consent of Mondaq. You may not use electronic or other means to extract details or information from the Content. Nor shall you extract information about users or Contributors in order to offer them any services or products.

In your use of the Website and/or Services you shall: comply with all applicable laws, regulations, directives and legislations which apply to your Use of the Website and/or Services in whatever country you are physically located including without limitation any and all consumer law, export control laws and regulations; provide to us true, correct and accurate information and promptly inform us in the event that any information that you have provided to us changes or becomes inaccurate; notify Mondaq immediately of any circumstances where you have reason to believe that any Intellectual Property Rights or any other rights of any third party may have been infringed; co-operate with reasonable security or other checks or requests for information made by Mondaq from time to time; and at all times be fully liable for the breach of any of these Terms by a third party using your login details to access the Website and/or Services

however, you shall not: do anything likely to impair, interfere with or damage or cause harm or distress to any persons, or the network; do anything that will infringe any Intellectual Property Rights or other rights of Mondaq or any third party; or use the Website, Services and/or Content otherwise than in accordance with these Terms; use any trade marks or service marks of Mondaq or the Contributors, or do anything which may be seen to take unfair advantage of the reputation and goodwill of Mondaq or the Contributors, or the Website, Services and/or Content.

Mondaq reserves the right, in its sole discretion, to take any action that it deems necessary and appropriate in the event it considers that there is a breach or threatened breach of the Terms.

Mondaq’s Rights and Obligations

Unless otherwise expressly set out to the contrary, nothing in these Terms shall serve to transfer from Mondaq to you, any Intellectual Property Rights owned by and/or licensed to Mondaq and all rights, title and interest in and to such Intellectual Property Rights will remain exclusively with Mondaq and/or its licensors.

Mondaq shall use its reasonable endeavours to make the Website and Services available to you at all times, but we cannot guarantee an uninterrupted and fault free service.

Mondaq reserves the right to make changes to the services and/or the Website or part thereof, from time to time, and we may add, remove, modify and/or vary any elements of features and functionalities of the Website or the services.

Mondaq also reserves the right from time to time to monitor your Use of the Website and/or services.


The Content is general information only. It is not intended to constitute legal advice or seek to be the complete and comprehensive statement of the law, nor is it intended to address your specific requirements or provide advice on which reliance should be placed. Mondaq and/or its Contributors and other suppliers make no representations about the suitability of the information contained in the Content for any purpose. All Content provided "as is" without warranty of any kind. Mondaq and/or its Contributors and other suppliers hereby exclude and disclaim all representations, warranties or guarantees with regard to the Content, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. To the maximum extent permitted by law, Mondaq expressly excludes all representations, warranties, obligations, and liabilities arising out of or in connection with all Content. In no event shall Mondaq and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use of the Content or performance of Mondaq’s Services.


Mondaq may alter or amend these Terms by amending them on the Website. By continuing to Use the Services and/or the Website after such amendment, you will be deemed to have accepted any amendment to these Terms.

These Terms shall be governed by and construed in accordance with the laws of England and Wales and you irrevocably submit to the exclusive jurisdiction of the courts of England and Wales to settle any dispute which may arise out of or in connection with these Terms. If you live outside the United Kingdom, English law shall apply only to the extent that English law shall not deprive you of any legal protection accorded in accordance with the law of the place where you are habitually resident ("Local Law"). In the event English law deprives you of any legal protection which is accorded to you under Local Law, then these terms shall be governed by Local Law and any dispute or claim arising out of or in connection with these Terms shall be subject to the non-exclusive jurisdiction of the courts where you are habitually resident.

You may print and keep a copy of these Terms, which form the entire agreement between you and Mondaq and supersede any other communications or advertising in respect of the Service and/or the Website.

No delay in exercising or non-exercise by you and/or Mondaq of any of its rights under or in connection with these Terms shall operate as a waiver or release of each of your or Mondaq’s right. Rather, any such waiver or release must be specifically granted in writing signed by the party granting it.

If any part of these Terms is held unenforceable, that part shall be enforced to the maximum extent permissible so as to give effect to the intent of the parties, and the Terms shall continue in full force and effect.

Mondaq shall not incur any liability to you on account of any loss or damage resulting from any delay or failure to perform all or any part of these Terms if such delay or failure is caused, in whole or in part, by events, occurrences, or causes beyond the control of Mondaq. Such events, occurrences or causes will include, without limitation, acts of God, strikes, lockouts, server and network failure, riots, acts of war, earthquakes, fire and explosions.

By clicking Register you state you have read and agree to our Terms and Conditions