Ed. Note: This is the fifth installment in a year-long series the WLF Legal Pulse is hosting of “frequently asked questions” on two California laws aimed at protecting the privacy of digital personal data. The author of the posts, David Zetoony of Greenberg Traurig LLP, authored a book on the laws for the American Bar Association from which this and future FAQs are excerpted. We thank the American Bar Association for granting us permission to share them with our readers.
Data privacy has become one of the greatest areas of risk and concern for business. It is also quickly becoming a heavily regulated field with the adoption in Europe of the General Data Protection Regulation (GDPR) in 2016 and the adoption in California of the California Consumer Privacy Act (CCPA) in 2018 and the California Privacy Rights Act (CPRA) in 2020. Some states, such as Colorado and Virginia, have already followed California in enacting data privacy regulation; many others are considering it. The American Bar Association (ABA) recently published a Desk Reference Companion to the CCPA and the CPRA, a book authored by David Zetoony the Co-Chair of the United States data privacy and security practice at Greenberg Traurig LLP. The book is designed to help in-house counsel understand the intricacies of California’s complex privacy regulations by providing answers to 516 of the most frequently asked questions from business. The following excerpt was reproduced with the permission of the ABA.
What types of documents, policies, procedures, and protocols should service providers consider putting in place to comply with the CCPA?
The written policies and procedures that service providers put into place to assist in their compliance with the CCPA differ depending upon several factors including the size of the service provider, the quantity of personal information that it collects, its industry, what the service provider does with the information it collects, and with whom it shares information (e.g., subprocessors). That said, there are six functional compliance-related documents that most service providers consider when trying to create processes and procedures that deal with the core requirements of the CCPA. The following chart “maps” the core substantive requirements of the CCPA, as amended by the CPRA, with those functional compliance-related documents. It is important to remember that some service providers will decide that they do not need each of these documents in order to comply with the CCPA; other service providers will decide that they need several more:
It is also important to note that some service providers may also be considered “businesses” in connection with other types of information that they hold (e.g., business contact information, employee information, etc.). Where a service provider is also considered a business, it should consider the additional policies, procedures, and compliance-related documents [required of businesses.]