By: Bill Tolson on January 21st, 2019

Print/Save as PDF

Look Behind You... The CCPA Look-Back Requirement

archive360 | defensible disposition | GDPR | California Privacy Act

Blog01212019The California Consumer privacy Act (CCPA) was passed last year (2018) with an effective date of January 1, 2020 – assuming no federal actions (check out the blog titled “Will the New California Consumer Privacy Act Stand?” for potential federal actions.)  


Who does the CCPA affect?

Simply put, the CCPA protects all California residents whether they are a consumer, employee, or business contact. With hindsight, with the passage of the E.U.’s GDPR privacy regulation, many organizations didn’t think they needed to worry about it until much closer to the effective date of May 25, 2018. In fact, there are still many companies that aren’t in compliance. This wait-and-see strategy turned out to be a risky strategy for many companies because they didn’t fully understand the implementation complexities involved. They were not considering the potential startup costs, implementation turn-around times, and the new processes needed to put it in place. Implementation readiness for the CCPA has already put many companies into an untenable position; they may already have dug themselves a hole they will find difficult to climb out of.

Most companies aren’t yet aware of the fact that their responsibilities for CCPA readiness begin well before the planned January 2020 implantation date. I am speaking of the “look back” requirement.

The look-back requirement of the law allows California citizens to ask for their information on January 1, 2020 - for the previous 12 months. Companies should be able to find and report on what consumer data exists, how it's being used, and if it's been sold to 3rd parties. Also, the consumer can demand its disposal, if the company is not required to keep it for regulatory or legal reasons. Ideally, beginning on January 1, 2019 (already past) companies should already have been capturing and managing consumer data in such a way as to ensure it can be found, culled, and deleted quickly if needed. The current requirement is a business must respond to a consumer’s verified request for information within 45 days (subject to extension under limited circumstances). Many companies will not be able to fully respond correctly raising the possibility of fines.  

What does this mean for my company?

Companies that have not begun CCPA planning and implementation should take this risk to heart and get started immediately. The following topics should be addressed in your CCPA planning:

  1. Records/information management: Are you managing ALL data that contains California resident’s personal information (PI)? A best practice is to consolidate all PI (not just Californian’s) into a single repository to make searching faster/easier and to ensure no copies are floating around which would violate the CCPA if not deleted when asked. Ensure your systems are set up to index and search for PI based on residency.
  2. Create a CCPA team for fast/complete response: The time frame to react to a PI request is limited so having a tested process in place will greatly reduce non-compliance liability.
  3. Data deletion: How PI is deleted from your systems is important. Simply hitting the delete button is not a true deletion - meaning unrecoverable. Companies should install deletion technology that ensures PI is completely unrecoverable, otherwise it could be considered still available and in violation of the CCPA.
  4. Data encryption: The best insurance policy again both the GDPR and CCPA non-compliance is to utilize encryption/anonymization with all PI. Many privacy laws including the GDPR and CCPA take the position that if PI is encrypted and the encryption keys were not stolen/hacked, then even if the data was accessed, it could not have been usable and therefore not in violation if data is inappropriately accessed.

We'll take our chances

Some CIOs have the attitude that they don’t need to worry about the CCPA because the chances of a California citizen asking about their PI from a small company in another state is particularly low – a bad idea. The chances may be low but are not zero, and the benefits of CCPA preparation (listed above) actually provide obvious benefits to companies beyond that of CCPA risk reduction, such as better information management.

If you haven’t started yet, you still have time to get your company ready. Working with vendors like Archive360 will help you get ahead of it to ensure you’re ready on January 1, 2020.

Contact us to find out how Archive360 can help you address your CCPA challenges.


About Bill Tolson

Bill is the Vice President of Global Compliance for Archive360. Bill brings more than 29 years of experience with multinational corporations and technology start-ups, including 19-plus years in the archiving, information governance, and eDiscovery markets. Bill is a frequent speaker at legal and information governance industry events and has authored numerous eBooks, articles and blogs.