Professional Documents
Culture Documents
Ten Steps To CCPA Compliance
Ten Steps To CCPA Compliance
Ropes & Gray is committed to helping you understand how n nderstanding what data an organization collects and how it is
U
the CCPA impacts your organization and working with you to used and disclosed is essential for effective CCPA compliance;
adapt your policies and procedures to ensure compliance. The if no data map exists, jump-start the process by documenting
material flows.
following checklist is a useful tool that will help your company
n rganizations must also determine whether personal informa-
O
prepare and maintain airtight compliance standards under tion is being “sold” as that term is defined by the CCPA.
the new data privacy regime. n s a best practice, organizations should develop and maintain
A
a data inventory documenting what data they collect and store,
how it is used, and whether it is disclosed or sold.
STEP 1: Determine whether your organization STEP 4: Draft externally facing privacy notices
is in scope for the CCPA n he CCPA requires organizations to provide information to
T
n Is your organization a for-profit entity? consumers about the categories of information collected and the
(Nonprofits are not subject to the CCPA) purposes for which those categories of information are used.
n Does it collect personal information about California residents? n rganizations must also update their online privacy notices to
O
include:
n Are you a controller—that is, does your organization determine
the purposes and means of processing with respect to the – Details regarding personal information:
data (i.e., why and how data is used)? n ategories of personal information collected
C
n Are some of your data processing operations exempt from about consumers
HIPAA, GLBA and certain other federal privacy regimes? n ources from which personal information is collected
S
n Is your organization “doing business” in California? n urpose for collecting or selling personal information
P
n Does your organization meet any one of the following three n ategories of third parties with whom personal
C
thresholds? information is shared
– Revenue over $25 million – Express bans on discrimination against the exercise
– Annually buys, receives for the business’s commercial of CCPA rights
purposes, sells or shares for commercial purposes—alone – Sales and disclosures
or in combination—the personal information of 50,000 n hether or not the organization sells personal data
W
or more consumers, households or devices (must affirmatively state one way or the other)
– Derives 50 percent or more of its annual revenues from • If personal information is sold, describe categories
selling consumers’ personal information of information sold
If you answered yes to all of the above, the CCPA will likely apply to n hether or not the organization discloses personal
W
data you collect and use about California residents. Even if not, the information to others for a business purpose
CCPA may apply if business partners require compliance by contract • If personal information is disclosed, describe
or if an affiliate of your organization shares common branding with the categories of information disclosed
your organization and satisfies the above criteria.
n onsumer rights
C
NEW YORK | WASHINGTON, D.C. | BOSTON | CHICAGO | SAN FRANCISCO | SILICON VALLEY
HONG KONG | SEOUL | SHANGHAI | TOKYO | LONDON
ropesgray.com
© 2019 Ropes & Gray LLP. All rights reserved. Prior results do not guarantee a similar outcome. Communicating with Ropes & Gray LLP or a Ropes & Gray lawyer does not create a client-lawyer relationship. 19_1427_0909