In just a few short weeks (January 1, 2020), the California Consumer Privacy Act (CCPA) will impose burdensome GDPR-like transparency and individual rights requirements on almost every company that handles “personal information” regarding California residents, including employees. Is your organization ready?
We have prepared a number of client alerts and blog posts to help you determine if your organization is subject to the CCPA and, if so, the steps necessary to comply.
General Guidance
As a first step, we recommend that you take the time to listen to our webinar – The Final California Consumer Privacy Act – What Are Your Obligations? Our blog post, Proposed CCPA Regulations: Initial Overview and Highlights also provides a synopsis of the Regulation and its requirements.
Our client alert, The California Consumer Privacy Act – Applicability delves into the CCPA’s applicability and will help ascertain if your organization must comply with the Regulation. Next, we recommend conducting a gap assessment to determine the required steps for compliance. Our client alert on Gap Assessments outlines the necessary steps to gather information, map your data and finally, assess the difference between your organization’s current practices and the actions necessary to achieve compliance.
Guidance for Data Brokers
Is your organization considered a data broker? If so, the CCPA requires that you register with the California Attorney General’s Office on an annual basis. Our blog post on this subject discusses Assembly Bill No 1202 and defines the key terms such as “data broker” and “direct relationship.” It also addresses the registration requirements.
Guidance for Financial Institutions
The CCPA provisions include certain exemptions for personal information, which are regulated pursuant to the Gramm-Leach-Bliley Act, the California Financial Information Privacy Act and the Fair Credit Reporting Act. However, these obligations are not absolute. Our blog post, I’m a Financial Institution – What Do I Need to Do Under the CCPA? identifies the steps financial institutions should take to prepare for compliance.
Guidance for Employers
Finally, we have all heard that the CCPA provides a carve-out for employee data. Although generous, the carve-out is not unlimited. Using worker data for any purpose other than employment-related purposes will likely result in the data falling outside of the scope of the exemption, and employers are still required to provide notice. Our blog post, I’m an Employer – What Do I Need to Do under CCPA? discusses the scope of the exemption under the moratorium and the obligations of employers.