4A's Guidance

4A's Guidance Notes and Discussion

Confused about your agency's compliance requirements under the new California Consumer Privacy Act (CCPA)? You're not alone. The CCPA is essentially the first-ever piece of comprehensive consumer privacy legislation passed in the U.S. Although inspired by Europe's General Data Protection Regulation (GDPR), there are clear and important distinctions between CCPA and GDPR. So, unfortunately, if your agency thinks they're in the clear because they're already in compliance with GDPR, they likely aren't. If you've been tasked in your agency with developing a game plan for CCPA compliance, then you're probably wondering where to start. And you don't really have much time to waste - CCPA comes into effect on January 1, 2020. 

If you're just getting started, you'll want to begin by taking a look at "The CCPA: California Consumer Privacy Act, What Agencies Need to Know." This guidance, provided jointly by the 4A's and Venable LLP, is a great starting point as you're trying to get a better handle on what exactly the CCPA is and why it could impact your agency's operations. If you're getting a late start on things and you really need that road map now - skip ahead to page 27 of the document where you'll find a "Practices Checklist" that lists ten suggested tasks an agency should undertake as they think about how the CCPA applies to their business operations. Once your agency has gone through this exercise (or the version of it that best suits your needs), you'll probably have a pretty good idea of what's required, and where the gaps might be between current practices and what's required under the new law. 

Depending on the results of your gap analysis, you have likely now arrived at a junction point where you're trying to decide if you can build-out compliance processes and interfaces in-house, or if you would be better served in hiring a privacy vendor to help you. The answer to this question will likely depend on a multitude of variables unique to your agency, but should you decide you need a privacy vendor to help you, there are is no shortage of options to choose from. In their 2018 Privacy Tech Vendor Report, the International Association of Privacy Professionals (IAPP) lists 192 unique vendors who handle some aspect of privacy compliance, both internationally and domestically. (Note: The number of privacy vendors has more than doubled since the 2017 vendor report). Which vendor might best serve an agency's needs will depend on a multitude of factors, including the needs of the agency (i.e. data mapping, incident response, facilitating consumer access requests, data inventory, audit trails, etc.) as well as concerns such as cost, how long the vendor's been in market, reputation, etc. It's always possible that an agency could have needs that are best met by two vendors with different strengths. 

While the 2018 IAPP Privacy Tech Vendor Report does not appear to specifically contemplate the implementation of CCPA (it appears to be more developed with GDPR in mind), most U.S.- based privacy vendors are very aware of CCPA, and have been busy building out a suite of products to deal with the law's requirements. This report should be considered a good starting point for an agency looking for more information on a domestic privacy vendor that can potentially help them, should they choose to outsource certain compliance requirements. 

Agencies are likely to find themselves in a somewhat unique position when it comes to CCPA compliance. Compliance will often mean different things, depending on the scope of the campaign being run. Agencies will need to evaluate each campaign based on the specific data flows involved to understand how CCPA might apply. It remains possible that an agency could be a business, a service provider or a third party in any given scenario, depending on the role they are playing. 
Possible CCPA Scenarios For Agencies. Considerations: Does CCPA Apply? If So, How? 
  • Agency develops four branded websites for a new product launch and then turns them over to the client to run before launch. Agency never collected any personal information prior to handing over the websites to the client. 
  • Agency develops four branded websites for a new product launch and then works with a third-party web hosting vendor to run the websites. 
  • Agency collects IP addresses, online identifiers, and/or cookie information as part of a campaign, but no "real" personal information like names, email addresses, passport numbers. 
  • Agency collects IP addresses, online identifiers, and/or cookie information as part of a campaign, and stores said data. A California resident makes an access request to see the personal information that the agency has on them. 
  • Agency is acting as a service provider on behalf of a client. The Client receives a deletion request from a California resident and passes the request to the agency. 
  • Agency is holding personal information of California residents and suffers a breach incident. 
  • Agency has no physical presence in California, yet receives an access request from a California resident. Agency is holding personal information on said California resident. 
  • Depending upon the specific instance, an agency can be considered a business, a service provider or a third-party, with different concerns for each.

As questions arise be sure to consult with your attorney.