Today's General Counsel, Winter 2020

Page 29

SPONSORED SECTION

Four Questions to Answer About New Privacy Regulations By Rebecca Perry

The CCPA essentially creates new consumer rights, and therefore new obligations for businesses. The CCPA grants consumers: • The right to know what data was collected on them, and for what purpose. • The right to access their data. • The right to request that their data be deleted. • The right to know which third parties hold their data. • The right to consent to collection, sharing and use of their data. • The right to opt out of their data’s use. • The right to equal treatment. All of this means that consumers have more control over their personal data held by businesses, which creates the following challenges: Do businesses have their arms around their data? Do they understand where it lives within their organization, and where it is shared? Along with those internal management issues lie additional issues pertaining to handling consumer requests. How do you give California consumers a portal to request their information? How do you validate that it is truly that individual requesting the information? And how do you respond and maintain records of those responses going forward? Here are four important questions that in-house counsel can ask their teams to help determine their readiness for complying with the CCPA and other pending privacy regulations.

N

ews about data privacy is everywhere. From politics to congressional hearings to new laws restricting how personal data can be used, it’s a topic that every general counsel must have top of mind. Following our friends in the European Union’s General Data Practices Regulation, the United States is introducing new privacy laws that apply to businesses that collect and store consumer and employees’ personal data. An example is the California

Consumer Privacy Act (CCPA), which is set to go into effect on January 1, 2020. The scope of the CCPA is pretty broad, but it doesn’t apply to all organizations. Most non-profits are exempt, and a business must have gross revenue in excess of $25 million while collecting the personal information of more than 50,000 customers. But if a business gets at least 50 percent of their revenue from selling California residents’ information, they’ll be required to comply.

Question 1: Do we really know our data?

Organizational expectations of data management and information governance rarely line up with reality. Effective and defensible compliance begins with a data inventory — developing it if you don’t have one, organizing it if you do. In order to do that, you have to engage with key business people across your organization and find out what data they’re using, how they’re using it, and how they’re storing it. How you develop your data inventory is

27


Turn static files into dynamic content formats.

Create a flipbook
Issuu converts static files into: digital portfolios, online yearbooks, online catalogs, digital photo albums and more. Sign up and create your flipbook.