Updated: Jul 29, 2019
The California Consumer Privacy Act (CCPA) requires significant changes to specific operational and eDiscovery processes.
Organizations unfamiliar with dealing with stricter privacy rights legislation may be getting nervous as 2020 and enforcement of the CCPA approaches.
However, eDiscovery software and technology have recently tackled some very similar challenges to those presented by the CCPA. The European Union's General Data Protection Regulation (GDPR) is one such piece of legislation that we've written about in the past.
If organizations work with eDiscovery professionals to implement processes and solutions ahead of time, they will be fine.
What is the CCPA?
This bill, signed into law in June of 2018, enhances privacy rights and consumer protection for residents of California. The legislation increases transparency for consumers about what personal data is being gathered about them and give consumers more ability to access and control how companies use their data.
Here's how you can prepare.
Prepare for the CCPA: Ask if it even applies to you.
Before planning – and spending time or money – on updating software, processes, or staff, make sure the CCPA applies to your organization. It does not apply to all organizations that process personal data in the same way the GDPR does.
The CCPA only regulates companies:
With gross revenue of $25M
Transact the personal information of more than 50,000 consumers
Derive at least 50 percent of their annual revenue from selling personal information
If none of those apply to your business, you're likely off the hook. (Just triple-check with a legal team or legal service provider to be certain.)
Prepare for the CCPA: Become familiar with the impacted data.
The type of information required to disclose for the CCPA is almost identical to Data Subject Access Requests (DSARs) for the EU's General Data Protection Regulation (GDPR) and petitioners of the Freedom of Information Act (FOIA). The only difference is that the data is held by the private sector rather than the government. The people familiar with managing GDPR or FOIA petitions can be an easy go-to first resource for CCPA challenges.
This is a great, free, and ungated guide from Reuters that compares the CCPA to the GDPR. It is a quick way to get a sense of what the CCPA touches and how it differs from another important piece of privacy legislation.
Prepare for the CCPA: Expect a lot of requests.
According to the FOIA Project, by June, the number of DSARs for 2019 in the United States surpassed 2018's total. Publicity for the CCPA and improved knowledge of privacy rights among American consumers will likely drive high volumes of data requests as well.
Plan the logistics of managing these requests now. To start on the right foot when the law goes into place, applicable companies must:
inform users before they collect data
inform consumers what categories of data will be collected
give consumers the option to opt-out of that collection
Being caught off guard in 2020 can result in costly fines or organizational chaos when a flood of requests pour in from Californian consumers.
Prepare for the CCPA: Automate, automate, automate.
My colleague Jed Cassinelli offered similar advice for migrating eDiscovery case data. Why? Automation eliminates inefficiencies by establishing more consistent, stable processes. This leads to more reliable, accurate data as well as the opportunity to replicate tasks – like processing multiple requests for data – more effectively and quickly.
There are several technical options for accelerating and reducing errors. Information governance software can help inventory and automatically disclose, modify, and delete customer information on request. Additionally, automated markup utilities like Blackout, can help out by significantly reducing the costs associated with manual review and errors.
Prepare for the CCPA: Ask for help when you need it.
The CCPA may add some new responsibilities and logistical challenges, but it doesn't have to be costly. It also does not necessarily require that businesses hire new staff. They simply need to evolve known processes to deliver on the latest legal expectations consumers will have for their data.
Many tools, like Relativity and Blackout, already have the functionality necessary to process this data securely once it is collected.
Look for workflows designed by professionals who have worked with similar privacy legislation in the past and don't be afraid to ask questions. Like with most things, the only reason to fear the CCPA is if you don't plan ahead.