Menu of CCPA Compliance Options for Businesses
- Do you feel like a novice when it comes to privacy law compliance – especially in California?
- Do you feel your business is behind the curve because you don’t have a privacy compliance officer or internal expert on privacy law?
- Are you unsure what you would do if you had a data breach tomorrow?
- Are you currently CCPA-compliant but have not yet started on all the CPRA changes that took effect January 1, 2023?
- Have you reviewed your CCPA policies and procedures for compliance with the regulations that took effect March 29, 2023?
- Do you feel good about your CCPA compliance when it comes to non-employee consumers but need help with employment data?
- Do you share data with third parties and need a better handle on managing the data flow?
- Are you interested in conducting a security or privacy assessment but are fearful that doing so without an attorney could lead to the discovery of any potentially negative findings?
- Do you have a cyber-insurance renewal coming up and are worried about getting renewed?
If your answer to any of these questions was “yes,” the Fisher Phillips Consumer Privacy Team has you covered.
Below you will find a menu of resources available to efficiently assist your business with all of the obligations that go along with the nation’s most stringent and burdensome data privacy law – especially with a swath of new responsibilities that went online January 1, 2023.
Before deciding which options and services your business needs, we invite you to schedule an initial consultation with one of our Consumer Privacy Team members to help determine what’s needed and make recommendations. Note that our work does not involve providing you with boilerplate template documents. Instead, any item created for you will be customized to match your specific needs. In fact, any organization that suggests they can provide you with a “plug and play” slate of template CCPA solutions without modification is doing you a disservice – and you will be the one paying the price down the road. Rather, CCPA compliance is an individualized process that involves forms, templates, notices, and policies specifically tailored for your business.
CCPA/CPRA Introductory Packet
This is a solid foundation you need to get started, regardless of your level of experience or expertise. The CCPA/CPRA Introductory Packet includes the following offerings:
- CCPA/CPRA Compliance Checklist
- Data Inventory Checklist and Spreadsheet
- CCPA Notice to Employees
- CCPA Notice to Job Applicants
- CCPA Notice to Individuals in the B-2-B Context
Don't forget your new "consumers" who became consumers under the CCPA as of January 1, 2023. This is a required notice to all natural person residents of California (a) who acted or are acting as an employee, owner, director, officer, or independent contractor of a company, partnership, sole proprietorship, non-profit, or government agency, and (b) whose communications or transactions with your business occur solely within the context of your business conducting due diligence regarding, or providing or receiving a product or service to or from, the entity on whose behalf the individual acts or is acting in their interaction with your business.
CCPA/CPRA Compliance Starter Kit
If you’re at square one and don’t even know where to get started, this package is for you. The Compliance Starter Kit gives you everything you need to develop a fully compliant strategy to meet all of your CCPA and CPRA needs, including:
CCPA and CPRA needs, including:
- CCPA/CPRA Compliance Checklist and Roadmap
- Data Inventory Checklist & Spreadsheet
- CCPA Notice to Employees
- CCPA Notice to Job Applicants
- CCPA Notice to Independent Contractors
- CCPA Notice to Individuals in the B-2-B Context
- CCPA Notice to Board Members
- CCPA Poster
- For placement in workplace / physical retail/ office locations
- This operates as your “offline” notice at collection where personal data may be collected from or about consumers such as through video surveillance or other in-person interaction with a consumer
- Also known as a CCPA addendum to contracts with your service providers and vendors that process, collect, access, or maintain personal data on your behalf
- If your business is itself a service provider, this would include the CCPA addendum to your client services agreement with your clients
- There is also a separate version of the DPA where you allow other entities, such as affiliates, parent or subsidiary companies, to access personal information of your consumers (including employees or applicants) in the course of the business transaction or relationship but you want to make sure this does not constitute “selling” of data under CCPA
- If you sell data to third parties or share data with third parties for context behavioral advertising, you will need a separate contract not listed here
Consumer Request Management Kit
This packet is perfect for businesses that collect and store consumer data. In the coming months and years, you are sure to receive consumer requests with respect to that data once the public becomes aware of their rights and enterprising plaintiffs’ attorneys poke and prod at various organizations to identify possible deficiencies. By ordering this kit, you’ll receive:
- A consumer request process handbook or manual for managing consumer requests (including methods for receiving requests, your verification process, how to acknowledge requests, a process blueprint for determining who in your organization will respond and what steps they will take with each type of request, and how to maintain proper recordkeeping for compliance)
- Online CCPA Consumer Request Form (which can be used if the law requires you to have an offline paper form available at physical locations or if you are DIY’ing the consumer request process through your website instead of utilizing a software tool)
- CCPA Consumer Request Response Templates (including the standard language and options for responding to different types of CCPA consumer requests accounting for different scenarios and options)
- Script for voicemail greeting message on toll-free number consumers call to submit consumer requests
- Sample script for employees answering CCPA consumer requests on any toll-free phone line
All managers and employees with responsibility for any part of compliance must understand the law and the applicable rules – not just because it is the prudent thing to do, but because it’s the law. You can read more here for a detailed Q&A on this training requirement. By retaining the FP Consumer Privacy Team to host this training, you’ll receive:
- An initial one-hour consultation with a member of the FP Consumer Privacy Team to learn about your data privacy and compliance posture, experience, and concerns
- Development and customization of the training material
- An interactive two-hour training session for your executives and managers led by a member of the FP Consumer Privacy Team (either in person or virtual)
The “Jumpstart” Assessment and Data Inventory Program
If you are not sure what your organization needs to get done in order to get into compliance, this program is for you. Our team will provide a workshop to jumpstart your CCPA compliance efforts and tailor an individualized roadmap ahead for you so you can complete your work most efficiently and in a cost-effective manner.
- We offer one-day, three-day, or five-to-six-day programs depending on what’s needed at your organization. The best place to start is usually a one-day privacy gap assessment, but we can tack on additional days to focus on an inventory of your employment and other consumer data assets.
- For these programs, we team up with an operational and implementation consulting firm to jointly provide clients with a gap and risk assessment, custom roadmap, and data asset inventory, while maintaining the attorney-client privilege over all communications and work product.
- Each program includes executive-level data privacy training and goal alignment, a tailored privacy risk assessment, and a prioritized 3-6-9-month Privacy Roadmap (tailoring steps to take based on operational needs, risk level, and legal priorities)
Annual Security Assessment
Although the CCPA regulations that took effect March 29, 2023 do not require an annual cybersecurity assessment, the next round of regulations is expected to include such requirement. The California Privacy Protection Agency has commenced its rulemaking process to cover certain topics the agency did not cover in the first round, including whether businesses subject to the CCPA will be required to conduct an “independent” security audit on an annual basis with respect to certain sensitive data for which the risk of exposure and potential harm from exposure are high. For employers, the sensitive and intimate nature of data they collect about employees may trigger the obligation to conduct such audit.
An annual cybersecurity assessment has been the best practice, but now it will likely become part of the law by January or April 2024. We strongly recommend this be done this year before the requirement takes effect, and that this be done by an external auditor rather than an internal team evaluating themselves, especially based on the CCPA’s use of the term “independent” in describing this annual audit about which the agency will be issuing rules and guidance. Moreover, businesses are better served having this audit conducted at the direction of legal counsel to ensure the attorney-client privilege and attorney work product protections will apply.
By retaining the FP Consumer Privacy Team to conduct this assessment for your organization, you’ll receive:
- An independent and external audit of all measures across your enterprise to secure and protect all personal information
- A joint effort by the FP Consumer Privacy Team and a technical cybersecurity expert to provide a legal and technical framework for all advice covered by the attorney-client privilege
Vendor Management and Due Diligence Assessment
Your relationships with vendors will never be more important since the January 1, 2023 changes to the CCPA and the regulations that took effect March 29, 2023. You will need to make sure that all of your vendor contracts are compliant – as well as ensuring proper due diligence on the part of the vendors so that you are not ensnared in an unintentional data security violation. As part of this assessment, you’ll receive the following:
- Since all contracts with vendors and third parties that access, process, or receive any of your consumer data (including any data of your employees or applicants) must be updated to comply with new law and regulations, you will need to review or rewrite each one. We can draft, revise, and redline your agreements with all such vendors to ensure compliance, with a particular focus on cooperation in responding to CCPA consumer requests, obligations and responsibilities in the event of a breach of your data in the vendor’s possession, and other similar issues.
- If your company provides services to other entities that include processing, collecting, or maintaining data on their behalf, we can also revise and edit your master services agreement with clients to address CCPA compliance from the service provider perspective.
- In addition, the new regulations also require you to include certain terms in contracts with third parties that are not “service providers” (not vendors) with whom you share personal information of any consumers. We’ll make sure these contracts are fully compliant.
- We can also step in to directly negotiate terms of data processing agreements with your vendors or their counsel.
- We can also assist with due diligence efforts to ensure the security measures taken by your vendors are sufficient. We may recommend bringing in a cybersecurity consultant to assist with examining the security credentials of your vendors as necessary.
- Finally, if your business clients are requiring you to undergo a security audit or provide documentation of your security measures, we can also work with you on customizing a packet you can provide to your clients in response to such inquiries.
Fisher Phillips will continue to monitor guidance for compliance with the CCPA and CPRA. Make sure you are subscribed to Fisher Phillips’ Insight System to get the most up-to-date information. For further information, contact your Fisher Phillips attorney or any attorney on our Consumer Privacy Team.