5 Strategies for CCPA and Data Privacy Compliance

By Hal Marcus, Director, Product Marketing, DocuSign

Fast on the heels of the EU’s General Data Protection Regulation (GDPR), the California Consumer Protection Act (CCPA) went into effect on January 1, 2020. As discussed in our previous blog and webinar, CCPA affects businesses worldwide, covers a wide range of personal data, and imposes new requirements and liabilities beyond those of GDPR. While there’s no singular roadmap to “CCPA compliance,” there’s no shortage of good practices for companies to prepare not only for CCPA, but also other emerging state data privacy laws. And the DocuSign Agreement Cloud can help. 

Here are five key strategies to meet CCPA requirements.

1. Identify risk areas across contracts—in DocuSign and from other sources.

CCPA imposes requirements on businesses that share or sell private data, including when the “sale” is not for traditional monetary gain. To address these requirements, you need to know how your service providers and business partners collect and share personal data, both before and after your interactions—and that requires clear knowledge of what’s in your agreements. The challenge is that contracts don’t generally contain standardized terms around data privacy issues, so even a searchable contract repository won’t obviate a tedious manual review effort.

DocuSign Insight uses AI-driven analysis to provide 360-degree visibility into your agreements, regardless of how and where they’re stored in your enterprise. Pre-configured to automatically and intelligently identify contract clauses triggering data privacy issues, Insight provides a conceptual understanding of your providers’ and partners’ commitments around personal data use, enabling you to manage and mitigate CCPA risk where necessary.

2. Generate revised agreements with third parties that share data.

Once you’ve identified the data privacy weak points within your agreements, you’ll want to amend and re-negotiate contract terms. Traditionally, “re-papering” agreements with a range of business partners and service providers was a painstaking, costly, and error-prone process. 

DocuSign CLM streamlines this process by automating contract creation, negotiation, and approval. SpringCM helps you efficiently build contracts by leveraging previously-approved clause language and source data from your enterprise systems. It also helps you shepherd agreements through complex negotiations and proprietary workflows. 

If your 3rd party relationships are managed in Salesforce, DocuSign Gen for Salesforce provides an integrated solution to prepare, sign, and store these agreements efficiently and reliably. =

3. Execute revised third party agreements quickly and efficiently with all signatories.

With CCPA’s start date and other data privacy timelines looming, agreements that have been revised for CCPA compliance need to be executed in an efficient, reliable, and—of course—legally binding way. 

DocuSign eSignature provides reliable enforceability of revised agreements with timestamped, tamper-evident, and court-admissible audit trails. Plus, DocuSign’s advanced workflow tools accelerate your execution process: The bulk send feature allows you to gather individual consent from a large number of users, while automated reminders and conditional routing keep complex approvals on track.

4. Collect provable consent to revised T&Cs, disclosures, and privacy policies.

CCPA requires that businesses notify consumers if they sell, share, or disclose personal information. Businesses are also required to display a persistent “opt-out” option and secure from consumers under 16 (or their parents/guardians if under 13) an affirmative “opt-in” before their data is leveraged. To minimize risk, businesses should collect—and document—the consent of their consumers to revised End User License Agreements (EULAs), Terms and Conditions, privacy policies, and the like. 

DocuSign Click provides an easily-auditable mechanism to capture legally-binding consent to standard terms across all platforms, all with a single click. With Click, administrators can seamlessly process updates to existing agreements, so it’s always clear which users have agreed to which version of an agreement. And Click is compatible with your existing DocuSign eSignature infrastructure, so it’s easy to gain a unified view across all your eSignature and clickwrap agreements.

5. Manage subject access requests—from submission to validation to secure delivery.

This one is a three-parter, and it’s a strong opportunity for businesses to turn privacy obligations into enhanced customer trust. CCPA requires businesses to provide consumers the ability to obtain, have deleted, and stop the sharing of their information, including adding a “Do Not Sell My Personal Information” option to corporate websites. Handling such data privacy “subject access requests” can be a burden and risk point, but it can also show a business’ commitment to consumer privacy and convenience. 

Create a seamless experience for consumers to submit subject access requests. 

DocuSign Guided Forms, powered by Intelledox, provides easy-to-implement, customer-friendly forms to capture such information. Guided Forms provides step-by-step guidance to users and pre-fills forms with known data, so you get complete submissions and fewer errors. 

Validate the requestor’s identity to confirm you can share their personal data. 

The DocuSign Identify family of products includes SMS, phone, knowledge based authentication, and even digital verification of government IDs from a mobile device. This is especially valuable when the requestor can’t be reliably identified via the business’ account process, or when parental consent is required for a minor’s “opt-in” as discussed above.  

Process and deliver on data privacy requests in a secure and fully-auditable way.  

DocuSign eSignature is used every day to securely route encrypted documents for approval, avoiding the need to email sensitive files, risk data exposure, and follow up to confirm receipt.  DocuSign provides a powerful platform for businesses to approve and act on subject access requests—ensuring a complete audit trail of every step and access point along the way. 

Learn more with our on-demand webinars.

With a growing patchwork of inconsistent legislation on the horizon, maintaining data privacy diligence is a mandate, not a choice. Fortunately, meeting your data privacy law requirements can—and should—go hand in hand with building more agreeable B2B and B2C relationships. 

Watch “Get Ready for CCPA While Enhancing Customer Trust”

Watch "Four Strategies for Data Privacy Readiness"

This blog post is offered for general information purposes only. It does not constitute, and is not a substitute for, legal advice.