The 2021 Privacy Compliance Checklist for California Businesses

Personal information includes details that alone or in combination with other information may identify a specific individual. This includes details such as names, email addresses, unique device identifiers, internet browsing history, and information about a person’s interaction with a website, mobile app, email, or advertisement.
Under California law, personal information also includes information on individual households. Do you understand your obligations with respect to the types of data you collect?

Information about an individual’s health, finances, biometrics, and information about children is considered sensitive information and comes with more robust privacy obligations. If you collect these sorts of details, you have to take extra care and adhere to stricter compliance regulations. Have you evaluated the data you collect to determine whether any of it may be sensitive information? Have you put extra safeguards in place for the sensitive information in your care?

Just because your web developer is local, doesn’t mean your data is stored locally. They may host the information in another state or country. Your contractors and third-party providers (consider email marketing platforms, virtual desktops, document management systems, etc) may also store data out of state or internationally. When you transfer personal information across borders certain requirements may apply. Have you investigated where your data is being stored?

The laws in some jurisdictions give individuals rights to access personal information businesses hold about them; ask that their personal information be corrected, updated, or erased; and ask that their personal information be deleted or transferred upon request. If you received one of these requests from a user, would you be able to quickly find all the places your business has stored that person’s information? Would you be able to honor a request to update, delete, or transfer a user’s personal data?

Have you conducted risk assessments to determine the sensitivity of the data you collect and store?

Have you implemented protections scaled to that risk level? This FTC Guidance is a useful starting place for assessing your data security.

Do you use physical security controls to deter or prevent theft or tampering with all devices and computing assets used in your business?

Do you have technical protections (like antivirus and encryption mechanisms) installed or configured on all devices and computing assets used in your business?

Do you restrict access to personal information to only those employees and third-party contractors with a “need to know”?

Do you have strict internal password requirements for employees and third-party contractors?

Do you ensure that information is disposed of securely when it is no longer needed?

Public-facing privacy notices, such as a web privacy policy, website terms of use, cookie policy, cookie pop-up, and just-in-time data collection notices.

Internal governance policies, such as an information security policy, incident response policy, vendor management policy, bring your own device and work from home policies, and business continuity and disaster recovery policies.

Have you considered all jurisdiction-specific laws? For instance, if you collect information from European residents, are you compliant with the GDPR (General Data Protection Regulation)? If you collect information from California users, are you compliant with the CCPA (California Consumer Privacy Act) (soon to be replaced with the CCPA (California Privacy Rights Act))?

Have you considered all laws that apply to specific types of information? For instance, if you collect health information, are you compliant with HIPAA (Health Insurance Portability and Accountability Act)? If you collect financial or credit information, have you considered your obligations under the FCRA (Fair Credit Reporting Act) and GLBA (Gramm-Leach-Bliley Act)?

Have you considered all laws that apply to specific types of individuals? For instance, if you collect information from children under the age of 13, are you
compliant with COPPA (Children’s Online Privacy Protection Act)? Are you aware of the special considerations for children between the ages of 13 and 16 under California law?

Emails containing ‘commercial content’ (that promotes products or services) sent from businesses are governed by the Federal CAN-SPAM law. You are required to:

Have you identified relevant staff to lead efforts to contain and/or stop a breach?

Have you developed pre-prepared communications to inform your users, service providers, business partners, law enforcement and regulatory agencies, and the media about a breach?

Are you aware of all your relevant reporting obligations and statutory timeframes for sending notices?

Do you provide for routine review of your privacy compliance documents and processes?

Does anyone routinely monitor for changes to the privacy landscape in any jurisdiction from which you collect personal data?

Do you have a framework that allocates responsibility to specific managerial staff members for your business privacy compliance?