Sean Hewitt - Aug 9, 2018

First the GDPR, Now California’s Consumer Privacy Bill: Your Ultimate Association Data Privacy Checklist

data privavcy

While many associations are still working to comply with GDPR, the State of California passed a new Consumer Privacy Bill that will have a significant impact on numerous organizations around the world.  Here is what associations need to know:


Associations that need to comply with the new regulations are required to give California consumers an effective way to control their personal information by ensuring the following rights:

  1. The right of Californians to know what personal information is being collected about them.
  2. The right of Californians to know whether their personal information is sold or disclosed and to whom.
  3. The right of Californians to say no to the sale of personal information.
  4. The right of Californians to access their personal information.
  5. The right of Californians to equal service and price, even if they exercise their privacy rights


The first step to managing data privacy is to document what personal data you have and what processing you are doing with it. All subsequent steps are dependent on this information being accurate.

In order to mitigate the risks related to data privacy compliance whether it be GDPR, California Privacy, or future state/country specific requirements, this list will be helpful:


  • Identify special categories of data processed
  • Document processing activities
  • Determine legal basis for processing (Like you did for GDPR)
  • Eliminate data that is not required or has no legal basis
  • Ensure consent has been documented for processing using "consent" as the legal basis

 Organizational Steps:

  • Form a team to manage privacy risks
  • Assign data stewards for personal data
  • Define internal data privacy policies
  • Advise/educate staff and board
  • Assign responsibility for security and breach detection

 Inform and enable data subjects:

  • Update privacy notice and inform data subjects of how to execute their rights
  • Provide data subjects with a method to contact you
  • Provide data subjects with a method to object to processing
  • Provide data subjects with a method to view / control their data
  • Define process to receive and process data subject requests

 Manage 3rd Parties:

  • Identify 3rd parties with who you send personal data
  • Ensure 3rd parties are compliant
  • Establish data processing agreements with 3rd parties


Associations who meet the following conditions need to comply:

  1. Annual gross revenue over $25 Million
  2. Buy, sell, share, or processes personal data on over 50,000 California residents
  3. Derive 50%+ of annual revenue from selling personal information

The deadline for compliance is January 2020. Click here for more resources on Data Governance...


Written by Sean Hewitt