To comply with the CCPA, you need to know your data. You need to know what personal information you collect, where it is collected and stored, and whether, to whom, and for what purpose, it is shared or sold. And to know your data, you need to conduct a thorough data inventory.

The process of creating and maintaining a data inventory differs from company to company; however, several key steps are common across industries. First, you need to identify all personal information your company is collecting and where, or from whom, such information is obtained. You also need to identify where the personal information is stored and whether it is shared or sold to others. If personal information is shared with or sold to others, you need to know to whom and for what purpose. In addition, the inventory should have a mechanism to track the 12-month “lookback” period for responding to consumer data requests. If you had prepared a data inventory for GDPR, that would be helpful, but it would not be the end-all for CCPA compliance, as GDPR inventories (or Article 30 reports) are typically limited to personal information flowing from the European Union and to the data elements contained within GDPR’s definition of “personal data.”

Knowing what personal information your company has from a thorough data inventory is the backbone of an effective CCPA compliance program. As mentioned in Part 1 of this series, now is the time to get started. The stakes may become even higher with the introduction of Senate Bill 561, which, if enacted, will: (1) expand the private right of action to cover all CCPA violations, not just those arising from data breaches, (2) remove the right to cure a data breach to avoid a private right of action, and (3) remove the ability of businesses to seek guidance directly from the Attorney General.

If you would like any assistance with creating a data inventory, please click Schedule Meeting. We also encourage you to attend the CCPA Public Forum at Stanford Law on March 5, 2019, and to submit written comments either directly to the Attorney General, or through us, by the March 8, 2019 deadline.