The Mamas and the Papas were famously “California dreamin’ on such a winter’s day,” but Jan. 1, 2020, plenty of privacy professionals will face the reality of the California Consumer Privacy Act. As preparation for the Golden State's privacy law ramps up, Orrick has launched a free tool to help organizations assess just how ready they are to take on the CCPA.
Orrick’s CCPA Readiness Assessment Tool consists of five sections with questions covering the Scope of the CCPA, Notice to California Residents, CCPA California Residents Rights, Vendor Management and Contracting, and additional considerations.
Orrick Privacy and Cybersecurity and Practice Group Co-Head Heather Egan Sussman, CIPP/US, said the firm is one of the few that has an internal lab to help develop solutions designed to help make lawyers and their clients' lives easier. Sussman believes the depth of the questions created by their team of in-house professionals and the report summarizing the results are the reasons why the Orrick tool stands out compared to other CCPA assessors.
While the assessment tool does outline where a company may stand with their CCPA readiness, Sussman said anyone who takes the quiz cannot solely rely on it to answer all their compliance needs.
“It would be impossible to have a survey that would say, 'This data stream is going to be covered by GLBA,' or, 'That data stream is going to be covered by [the Health Insurance Portability and Accountability Act].' Our assessment does not get to that level of granularity, and I really do think you’d need to consult with a lawyer,” Sussman said. “This is not legal advice. This is a free online tool. We are not entering into an engagement letter with the client so we are not rendering legal advice in the process.”
Sussman said Orrick was able to refine its CCPA offering based on a similar tool it had created for the EU General Data Protection Regulation. She cited the “actionable results” within the CCPA reports as one way the firm was able to improve upon its GDPR predecessor.
“There are other things like making available an option to select ‘not sure,’ because as you are taking the test it’s not just a yes or no. You may not actually know as you are filling it out,” Sussman said. “And things like being able to pause while you are taking the test and resume at a later date and not lose your place are the kinds of developments we’ve perfected as we’ve gone along.”
Privacy professionals begin the assessment with Section A, which consists of the scoping questions where users will be asked whether they do business in California or with California residents, whether an organization or an entity on their behalf collects information that can be linked to a California resident, and if they drive 50% or more of their annual revenues from selling California residents’ personal information.
Based on the answers they give in Section A, privacy pros will either be told they are not covered by the CCPA, thus ending the assessment, or they will continue forward with the remaining four sections.
The majority of questions allow for responses of “yes,” “no” or “not sure.” In cases when users select “yes” or “not sure,” additional questions may pop up.
In Section A, for example, one question asks, “Are you an entity that controls or is controlled by any other for-profit legal entity that: Does business in California or with California residents; and shares common branding with you?” If “yes” or “not sure” are selected, the tool prompts another question that reads, “Does that entity collect or receive information that identifies, relates to, describes, is capable of being associated with, or could be reasonably linked with a particular California resident or household (defined as ‘personal information’) in any the following ways?” Users can then click on a lightbulb on the right side of the tool that lists out definitions of personal data cited under the CCPA to better inform their decision.
After the first section, privacy professionals will be asked about whether they intend to notify California residents about data collection, their ability to take on rights requests, and their relationships with third-party vendors.
Once the assessment is complete, the tool generates a report that informs users what areas of CCPA compliance they need to work on based on the answers they submitted. The report will inform privacy pros about where they stand with handling opt-outs, children's privacy, the right to deletion, data mapping and CCPA training.
“Based on your responses, you may not yet be prepared to provide California residents with timely notice of any changes to your personal information processing practices,” the final report might state.
As lawmakers amend the CCPA, Sussman said Orrick will alter the questions as needed to ensure results are up to date. The tool addresses this in the report, as it warns privacy professionals the results they have received may become irrelevant as the CCPA approaches its final form.
The law firm has started to receive feedback on its assessment tool, and while it has been positive, Sussman notes users have offered suggestions for improvement. Sussman cited one client who wanted Orrick to add another answer that boils down to “not yet, but we are working on it.”
Similar to the law it covers, Orrick’s CCPA assessment tool will likely see some changes before Jan. 1. However, the law firm’s ultimate mission with its service will not change before 2020 arrives.
“Our goal with this tool is to help start the conversation,” she said, “and that with this real, actionable report, privacy officers and other compliance professionals can go to senior management and say, ‘Here’s the work that needs to be done, and we need the time and resources to allocate to this’ and then hopefully it helps move them to execute as they get closer to the effective date of the law.”
By Makaristos [Public domain], from Wikimedia Commons
If you want to comment on this post, you need to login.