Who Should be Responsible for CCPA Compliance?

00:01

welcome everyone to Module eight of 10. We are off to the races.

00:06

This is my favorite module. We're going to review CCP A in action.

00:11

We're going to take everything that we have learned up until this point and actually apply it to our places of work to help our businesses, our employers

00:19

ensure that they're compliant with the privacy obligations established by the C C p. A.

00:24

Here we are in our course outline.

00:26

Remember, we first started by reviewing the history of the law and the scope of businesses that are subject to it,

00:32

we will re explore some items that we discussed in module to in this module

00:37

which businesses are subject to the law.

00:39

We will also review the substantive privacy obligations again. That's the consumer rights, the notice and transparency obligations, the intersection of Children's privacy and then all things related to marketing ad tech and cookies.

00:53

We won't really mention too much items relating to enforcement, except maybe around instant response issues.

01:00

This is where we are.

01:00

We're closing in on having completed the entire course,

01:03

looking forward to diving in and actually applying what we've learned to re a world scenarios

01:08

This module begins with a deeper, more fundamental question.

01:12

That is,

01:14

who should be responsible for CCP? A compliance at your company?

01:18

Maybe you believe it's you.

01:19

Maybe that's why you decided to take this course. Or perhaps you believe that you are part of the team that is responsible for it.

01:26

I would actually submit to you that CCP a compliance is a team effort. In every instance,

01:33

one person cannot push the entire train forward on their own.

01:36

Let's dive a little bit mawr into it,

01:38

the learning goals and objectives for less than 8.1.

01:42

First,

01:44

we will review how organizations should be organized

01:47

using the word twice there. But basically, how should a business allocate the reason ability of CCP a compliance within the orb?

01:55

Item number two.

01:56

This frequently gets ignored, But it's so important

02:00

issues relating to employee training,

02:01

especially as it relates to data privacy.

02:05

We're going to get into a little bit more about general privacy programs.

02:08

Of course, all of this is going to be through the lens of CCP, a compliance

02:15

the first step I recommend. Every company that I work with is to perform a c c p a risk assessment.

02:22

Every organization should do its best to evaluate its level of exposure to the C C. P. A.

02:27

A lot of that is going to be driven by the budget that, frankly, your company has to address this issue,

02:32

but also how companies normally view the employees that are on their staff and how they're generally organized.

02:39

Now

02:40

a lot of that is pie in the sky.

02:45

So to help make that point a little bit more clear,

02:47

my company, Reliant,

02:51

has generally classified businesses into three different types of categories.

02:54

I've noticed other leading companies tend to do the same thing.

02:59

I think it's actually relevant. This lesson.

03:00

There are three categories of companies as it relates to their exposure to the c c p A.

03:07

Take a second, even pause the video. If you need to

03:09

think about which bucket the company that you work for now falls into,

03:15

pause the video if you need to. But let's explore this together.

03:19

Let's start on the left side of the screen.

03:22

Bucket A.

03:23

These are companies that have revenues exceeding $1 billion a year, so not many companies, but they certainly have a huge market share those companies that do have this,

03:34

generally a company that's consumer facing

03:37

if you're a company, makes most of its revenue using the B two B model.

03:40

That might not be you,

03:43

but if you are consumer facing making more than a billion dollars,

03:46

you're probably falling into Bucket A.

03:50

Some high level critical industries.

03:52

Big tech

03:53

finance,

03:53

large scale retail.

03:55

If your company has some sort of loyalty program, you're most likely going to fall into Bucket A

04:02

Bucket B and C will receive, I think less attention from the California attorney general, although you will note that the CCP A class actions are directed at some companies that do fall into buckets B and C.

04:15

That's the general lay of the land

04:17

if your company falls into Bucket A, it absolutely should be addressing CCP issues right now.

04:24

Bucket B as well,

04:26

then bucket seat.

04:28

The C C P. A. Is technically within scope, of course, but the business model might make enforcement from the California Attorney general less statistically likely, although by no means less impactful should it occur.

04:41

Here's how the ideal reporting change should work within the context of the c c p A.

04:46

Items highlighted in blue are functions within an organization that will be responsible for ensuring CCP a compliance.

04:54

Your legal department should be actively ensuring that the company is complying with the obligations of the California Consumer Privacy Act.

05:00

If you have a chief privacy officer on staff, they will likely act as the hub for that effort.

05:06

Information security.

05:08

So you're CSO and your I T department will also need to ensure that technical and organizational controls are being deployed within your company to ensure that information is not going to be leaked and that in general,

05:21

especially as it relates to incident response,

05:25

your company is designed to handle potential CCP issues.

05:30

There is a bigger item, though.

05:32

See, SEPA compliance is a shared effort

05:35

you must have. I'll call them a private privacy ambassador, if you would,

05:41

within your business operations.

05:43

Marketing,

05:44

finance. Human resource is your loyalty programs, and even your physical facilities need to be aware of the intersection of their world With privacy,

05:54

they must be included.

05:55

They cannot assume that someone else is completely addressing all things related to privacy.

06:00

You have to push some of the responsibilities down.

06:05

If you do have the budget for it. You should also introduce the concept off having a stronger privacy team that is designed to handle things like your Consumer Request Channel,

06:15

which we will get to in a couple of lessons,

06:16

making sure that there are regular updates to the privacy policy

06:20

and that if there is an incident that there are groups of appropriate individuals who are dedicated to addressing those issues as they come

06:29

outside of your company,

06:30

there is absolutely a healthy and important role for your outside legal counsel and outside consultants to help give you a third party perspective on what to do to mature the privacy program.

06:40

Do not forget their role.

06:42

I know it can be expensive to hire outside help, but they absolutely have a very important role.

06:47

I strongly recommend always getting a gut check or even leveraging their subject matter expertise.

06:53

Our subject matter expertise truthfully,

06:56

to make sure that what you're doing is consistent with what the rest of the market is doing and what your competitors are doing.

07:01

If you've heard of the phrase data protection officer, that's a specific position that relates on Lee to the GDP are

07:09

Let's put that as a holding marker because they represent the interest of data subjects. The individuals whose information we collect.

07:15

We'll get to more of that in module nine.

07:19

Employee training is something that your privacy team or you yourself, if you are the person who was responsible for privacy

07:27

needs to ensure it's happening yearly.

07:30

There are several things that you need to discuss with them.

07:31

Privacy concepts

07:33

explain to them what the C C P A is and those substantive privacy obligations that we reviewed in modules three through six.

07:41

How your business in general views privacy.

07:44

There's several critical key functions. I mentioned them a couple of times, and I'll do it again.

07:48

The employees who work in your finance marketing HR departments need to know about how privacy impacts their day to day as well as including, especially the service line.

08:01

Those groups that helped bring in revenue for the company need to be receiving annual training.

08:07

In summary, we've reviewed how to identify a CCP a risk. What kind of bucket does your company fall into and the roles and responsibilities of each person as it relates to ensuring that the obligations of the CCP are satisfied?

08:20

Remember this is going to be a shared effort that requires annual training.

08:24

That gives us a high level summary of how things should be organized