Schedule a Consultation: 858.483.9200
Privacy Act Deadline Nears: Record Keeping Required
The effective date of the California Consumer Privacy Act (“CCPA”) is nearing. See Cal. Civ. Code, §1798.100 et seq. Among the many legal requirements imposed by the CCPA, such as a toll-free telephone number for customers to use, the CCPA requires record keeping. This was made clear by the CCPA Regulations recently released by the California Attorney General’s Office. See our discussion here. Thus, among the other tasks, San Diego businesses need to develop, draft, and implement company policies with respect to record keeping. An experienced San Diego corporate attorney can help draft such policies and keep them current year-to-year.
With respect to record keeping, the Attorney General’s Office Regulations require a minimum level of recordkeeping concerning compliance with the CCPA. Aside from the Attorney General’s Office Regulations, a policy concerning record keeping would be important and necessary anyway. For all sorts of laws and regulatory obligations, business subject to the CCPA need to keep records as simple protection against potential litigation. If your company’s compliance is challenged in a lawsuit, the records are necessary to prove otherwise. The Attorney General’s Office Regulations focus on the needed record keeping when consumers make contact about their rights under the CCPA. The records that must be kept are:
- Identity of the consumer requesting information
- Efforts to confirm the requestor’s identity — as a reminder, giving information to the wrong person is a violation of the CCPA
- Date of request
- Nature of request
- Method of request
- When was a response from your company made along with method of response
- Nature of response including reasons for response (if the response was denied, for example)
The Attorney General’s Office Regulations make clear that collecting this data and keeping these records is not itself a violation of the CCPA as long as the data is collected only for the purposes of complying with the CCPA. One potential legal catch-22 is that the Regulations state that this sort of data should only be retained for 24 months. After that time, the Regulations indicate that the data should be deleted. However, lawsuits under the CCPA can be filed for up to four years — 48 months. It may be prudent for San Diego businesses to retain the compliance information for four years. This is one area of conflicting requirements that the State Assembly or the Attorney General’s Office should clarify as the CCPA comes into effect.
Aside from record keeping related to consumer inquiries, there are a host of other record keeping tasks that must be done. The CCPA required that various consents must be obtained before data may be collected. Further, as data is collected — at the point of collection — consumers are entitled to various notifications about what data is being collected and for what purposes. Extensive record keeping is needed by the fact that consent is required and that data collection is linked to purpose(s). Note further that, if the purpose for which data is used is changed, then additional notices and consents must be obtained. Without the new notices and new consents, the new use of the collected data will violate the CCPA. In addition, consumers are given the right to “opt out” of certain uses of their data (such as the sale of their data). Records must be kept for those who are opting out and opting out for what purposes. At minimum, the following records will be needed (along with notice that data is being collected for “compliance purposes”):
- Identity of the consumer
- Notices provided — for example, consumers are entitled to know what data is being collected and the purpose(s) to which the data is being used, how long the data is stored, etc.
- Consumer consent to data collection
- Limits on what data the consumer consented to have collected
- Any “opt out” choice(s) — for example, consumers can opt out of having their data sold or shared
- Any and all purpose(s) identified for which that particular data collection was collected
- Dates for collection, consent(s), notice(s)
- Nature of data collected — to prove compliance with the notices provided
- And more
As can be seen, the record keeping will be complex. The Attorney General’s Office Regulations do not adequately address of the record keeping requirements of the CCPA. Hopefully, additional guidance will be forthcoming.
Legal Reminder: Another reason for the extensive record keeping is that the CCPA and the Regulations require many businesses to compile, file and make public annual statistics related to CCPA-related consumer requests.
Contact San Diego Corporate Law Today
For more information, contact attorney Michael Leonard, Esq., of San Diego Corporate Law. Mr. Leonard can be reached at (858) 483-9200 or via email. Mr. Leonard provides a full panoply of legal services for businesses including formation of corporate entities of all types. Like us on Facebook.
You Might Also Like:
Consumer Privacy Act: Could the Courts Expand the Private Right of Action Under the CCPA?
Is it Time to Say “No” to Biometrics?
CCPA Effective Date is January 1st: Does Your Business Have Indemnity Insurance Coverage?
CCPA Effective Date Looming: Is Your Toll-Free Number Up and Running?
Thoughts on Legal Risks Re: Your CCPA Data Collection and Use Notices