Have You Done Your Annual CCPA Housekeeping?

The California Consumer Privacy Act of 2018 (the “CCPA”) took effect a little over a year ago on January 1, 2020. While many businesses worked to bring themselves into compliance with the CCPA by that date, compliance with the CCPA does not end there. Under the CCPA, not only does a business need to update its privacy policy when it changes how it collects and uses personal information, but also there are a number of items that the CCPA requires businesses to review and analyze annually. Have you done your annual CCPA housekeeping? Use the below checklist to find out.

  • Have you updated the information disclosed in your privacy policy? Businesses must update that information at least once every 12 months. In particular, consider whether your privacy policy requires updates in response to the following questions:
    • Does your privacy policy accurately identify the categories of personal information your business collected about consumers in the preceding 12 months?
    • Does your privacy policy accurately identify the categories of personal information that your business disclosed for a business purpose in the preceding 12 months?
    • If your business did not disclose consumers’ personal information for a business purpose in the preceding 12 months, does your privacy policy disclose this fact?
    • Does your privacy policy accurately identify the categories of personal information of consumers that your business sold in the preceding 12 months?
    • If your business did not sell consumers’ personal information in the preceding 12 months, does your privacy policy disclose this fact?
  • Are you keeping track of the number of requests that your business received from a consumer? A business is not required to provide personal information to a consumer in response to a request more than twice in a 12-month period.
  • How far does your business look back when disclosing personal information in response to a request? The disclosure is only required to cover the 12-month period preceding the business’s receipt of the consumer request.
  • Are you keeping track of when a consumer has opted-out of the sale of the consumer’s personal information and is your business respecting the consumer’s decision to opt-out for 12 months? Businesses must respect a consumer’s decision to opt-out for at least 12 months before requesting that the consumer authorize the sale of the consumer’s personal information.
  • Do you know if your business, alone or in combination, bought, sold, or received or shared for the business’s commercial purposes the personal information of at least 10 million consumers in a calendar year? If so, by July 1 of every calendar year, your business will need to compile and disclose the following metrics for each category of consumer request received by your business (i.e., requests to know, to delete, and if applicable, to opt out of sale): (i) total requests received, (ii) total requests complied with in whole, (iii) total requests complied with in part, (iv) total requests denied, and (v) average number of days (median or mean) to substantively respond to requests. You can provide these metrics in the privacy policy or on a separate page linked to in the privacy policy.
  • If your business has no reasonable method by which it can verify any consumer in connection with a consumer request, have you evaluated whether your business can establish a reasonable method? Businesses must evaluate and document whether they can establish a reasonable method at least once every 12 months.

If you need assistance with your CCPA compliance efforts or want more information on compliance with the CCPA, please contact one of our Cybersecurity & Data Privacy attorneys.

Firm Highlights
Client Alert

COVID-19 Rescue Plan Act Expands Paid Leave Availability but Does Not Revive Employer Mandates

More
Client Alert

Have You Done Your Annual CCPA Housekeeping?

More
Client Alert

Virginia Passes Sweeping Data Privacy Legislation Similar to CCPA and GDPR

More
Client Alert

New York State Regulator Discourages Ransomware Payments and Publishes New Cyber Insurance Risk Framework

More
Client Alert

Temporary COBRA Changes Under the American Rescue Plan Act

More
News

Jeremy P. Brummond’s Article on Waivers of Consequential Damages is Published in Construction Executive

More
Diversity & Inclusion

Fatima G. Khan Elected President of South Asian Bar Association of Metropolitan St. Louis

More
News

Jerina D. Phillips Offers COVID-19 Vaccination Advice for Employers in St. Louis Magazine Article

More
News

Lindsay S. C. Brinton and Meghan S. Largent Negotiate $1.4 Million Settlement for Landowners along Legacy Trail

More
Client Alert

Model COBRA Notices Under the American Rescue Plan Act

More
Client Alert

Supreme Court Hands Down Unanimous Decision Limiting FTC’s Ability to Seek Monetary Relief

More
Client Alert

Public Access to Electronic Court Records in Missouri

More
Diversity & Inclusion

Law Firm ILN-telligence Podcast Hosts Ronald A. Norwood to Discuss Mentorship, Diversity & Inclusion in the Legal Industry, and the Importance of Equity for All

More
Client Alert

CROWN Act Legislation on the Verge of Passage in St. Louis City & County

More
News

Brian P. Pezza Gives Advice on Vaccination Acceptance in the Workforce in Society for Human Resource Management Article

More
Client Alert

Federal Appellate Court Determines a Website Is Not a “Place of Public Accommodation” Under the ADA

More
News

Kansas City Office of Lewis Rice Names New Member

More
Diversity & Inclusion

Two Lewis Rice Members Selected for Leadership Council on Legal Diversity Programs

More
News

Meghan S. Largent and Lindsay S. C. Brinton Negotiate $700,000 Award to Cobb County, Georgia Landowners in Rails-to-Trails Case

More
Diversity & Inclusion

Lewis Rice Member Ronald A. Norwood Serves on Missouri Bar’s Special Committee on Lawyers of Color to Establish Diversity, Inclusion Programs

More