Preparing for the California Consumer Privacy Act

Privacy law in the United States is about to undergo a fundamental change when the California Consumer Privacy Act becomes effective on January 1, 2020. Preparing for the CCPA has been complicated by the fact that the California legislature is still considering bills that would amend its terms, and the California Attorney General’s office is charged with drafting interpretive regulations for a law that has not been finalized.

For companies with complex corporate structures, one of the first steps should be analyzing the company’s corporate structure to determine which entities can be considered the same business and which must be treated separately. Identifying which corporate entities qualify as the same business will determine how to respond to requests for information.

Inventory your data. Organizations won’t be able to comply without understanding what personal information flows into the organization, why it is being collected, where it is stored and whether it is being shared. Determine your web presence. Many organizations have numerous websites that they created over the years for various purposes. If they are active, they are subject to the CCPA. Understand how your organization uses “cookies.” Cookies are one of many types of information that the CCPA defines as personal.

Although certain activities can be stayed pending the Attorney General’s regulations, others — such as analyzing your organization’s corporate structure, conducting data inventories, understanding your organization’s web presence and cookie usage, and reviewing your information security posture — can be undertaken now.