Lawyer Monthly Magazine - August 2019 Edition

facilitate consumers’ rights under the CCPA and provide guidance to businesses for how to comply. Implementing a data privacy compliance program can be a resource-intensive and time- consuming exercise; therefore, we have strongly encouraged our clients not to delay the process of developing the necessary programs and procedures. Companies that have already gone through a GDPR readiness programare at a slight advantage as specific processes and procedures previously developed will also apply to the CCPA. However, it is essential to note that the CCPA imposes some unique requirements; therefore, GDPR compliant does not necessarily equate to CCPA complaint. In any event, creating a data privacy compliance program can be overwhelming. To fully comply with CCPA, a business must first know detailed facts about the personal information it collects. This is most easily accomplished by creating a data map that traces the personal information ingested by the company and how it is collected, used, processed, stored, and sold. Next, we work with our clients to review their current business processes and make modifications as necessary to ensure they have necessary procedures, practices and policies in effect to: (1) verify consumer requests; (2) make available two or more designated methods for consumers to submit requests; (3) create and maintain a tracking system to ensure compliance with response times and applicable time periods; (4) provide requested personal information in a portable and readily usable format; (5) update privacy policy to include necessary disclosures; (6) identify service providers who might have received personal information and develop procedures to effectuatedeletion; (7) ensureany agreements with service providers include this obligation; (8) update website to prominently display opt-out button; and (9) tag, track and separately treat personal information who exercised right to opt-out. This is not an all-inclusive list of requirements, but is merely illustrative. Although not explicitly required, we encourage our clients to document its data privacy compliance program policies, practices, and procedures in writing as most businesses will find it challenging to comply with these requirements without written policies and procedures in place. Additionally, having this documentation in writing may be beneficial if a company needs to defend its compliance activities. Lastly, we work with our clients to ensure they have adequate training programs in place so that employees who handle consumer inquiries have a general knowledge of the company’s CCPA obligations and can instruct consumers how they can exercise their CCPA rights. Jurisdictions have some level of data security laws, but these laws can vary widely from one state or country to another; what issues can this cause? Do you think there should be a more homogeneous set of regulations and laws? It can be difficult for businesses to comply with global data privacy and protection laws, as requirements and regulations fluctuate from region to region. This can cause some businesses to think twice before expanding to a new market. Unless a company’s legal department Super Lawyers By Anthony E. Stewart, Hall Booth Smith, P.C. 69 AUG 2019 | WWW.LAWYER-MONTHLY.COM COMPANIES, THEREFORE, WILL NEED TO DETERMINE HOW THEY CAN MONITOR THEIR DATA SHARING PRACTICES AND TIMELY RESPOND TO CONSUMER REQUESTS.