California Consumer Privacy Act (CCPA) Compliance: Expert Commentary
On July 1, 2020, enforcement of the California Consumer Privacy Act (CCPA) began.
On the first day of enforcement, California Attorney General Xavier Becerra described the CCPA as “a first-of-its-kind data privacy law in America” and encouraged every Californian to know their rights to internet privacy and every business to know its responsibilities.
“The website of every business covered by the law must now post a link on its homepage that says, ‘Do not sell my personal information’,” he said. “Click on it. Remember, it’s your data. You now get to control how it’s used or sold.”
At the time, not all companies were ready. Many companies have continued to experience ongoing confusion about the many moving parts of the CCPA – from the law and potential amendments to regulations for data privacy compliance and enforcement.
A Timeline of How the CCPA Became Law
Royal notes the timeline for the Act was quite unusual, as so much was changing during the time the new data privacy act was proposed.
Here are some key dates:
- September 2017 – California Consumer Privacy Act put forward as a ballot proposition by Californians for Consumer Privacy (a citizen-led privacy group)
- December 18, 2017 – California Department of Justice approved the language of the CCPA initiative
- January 3, 2018 – CCPA introduced to the Government of California
- May/June 2018 – ballot proposed in May to be balloted at the November 2018 election.
“But by June Governor Jerry Brown made an agreement with the Californians for Consumer Privacy that if a law was passed within the next week or so then he would withdraw the ballot proposition”
- June 28, 2018 – CCPA passed into law.
“The original version of the CCPA seemed like it was written by high schoolers. Some people say it was written by law students, I disagree, I think it was worse than that. I think it was high school level – there were so many grammatical corrections and fixing parts of the law that conflicted with other parts of the law.”
- September/October 2019 – Amendments made to the CCPA and announced on October 11.
“We were waiting with bated breath for the amendments to come out so we knew what regulations would apply.”
- January–March 2020 – The CCPA came into effect on January 1, but more changes came soon after.
“The second draft regulations came out in February 2020. At this time we were under the requirement that enforcement of the CCPA had to start six months after the regulations were adopted, but no later than July 1.”
- June 1, 2020 – The final set of CCPA regulations were submitted to the Office of Administrative Law.
“The attorney general asked for an expedited review, but they were not submitted for emergency review”
- July 1, 2020 – The CCPA entered the enforcement phase.
“I do believe the attorney general plans to enforce it, but I don’t believe he plans to go, ‘Whole hog party, let’s grab everyone. I think he plans to look at significant violations of the CCPA, something that truly impacts the consumers. Not something minor, such as, ‘You don’t have the right privacy notice passed and you need to fix it’. It’s something that’s a major infraction of the law that violates the entire spirit of the law.”
Data Protection Compliance Enforcement in California
Breitbarth notes the early enforcement actions in California were likely to include a few surprises. “I think all the data protection authorities in Europe had companies and private sector organizations in mind they would want to go after,” he says. “And in many situations, you’ll see that has happened.”
“Although the very first enforcement cases were probably also the unexpected ones: complaints filed that nobody was aware something was wrong. Or the ones that were very easy to investigate. So I do believe the AG (attorney general) would certainly have companies in mind to investigate, but I’m sure he’ll get tip-offs and complaints as well, that he will have to take into account.”
Royal agrees it was likely the first enforcement cases under the CCPA would be citizen-raised lawsuits, whether by an individual or a class action. “They’re only for breaches. And in fact, there is a provision of the CCPA that says the CCPA is not to be used as a foundation for any other action.”
Europe has a blanket ‘right of access’ rule, so in his view it’s strange the CCPA only has a 12-month rule for ‘right to know’ and ‘right to deletion’.
This rule for data privacy action in California has several implications:
- If a person asks for their email to be deleted from an organization’s records, the organization apparently only needs to give them the information from the past 12 months. So the rule is largely ineffective
- If a person stopped using a product more than 12 months ago, the records relating to their product user account might not be accessed if they exercise their right to deletion
- Organizations must do extra work to keep track of every data element, from the date it was collected and apply rules for controlling the time frames each data point is allowed to be accessed, including when it is no longer under review
- Organizations must also have reports available at any time. There are companies that specialize in data discovery to help find where data elements are – TrustArc has a partnership with BigID, for example – as it is complex work.
Data Privacy Compliance is a Global Challenge
“There is no magic wand for privacy compliance,” warns Royal. “Not in Europe, not in the United States, and not in any single country in the world.”
“Coming from Europe,” Breitbarth adds. “I’ve seen all the companies struggle with General Data Protection Regulation (GDPR) and GDPR readiness. When looking at the results of TrustArc’s Global Privacy Benchmarks Survey it’s the same for the US all over again.”
The scope of the Global Privacy Benchmarks is impressive. The 2020 survey was answered in May 2020 by a range of people working on privacy from multinational organizations to SMEs, top management to people doing the work.
Perhaps not surprisingly, the section in the survey about CCPA reported some startling results:
- 45% of people working on privacy compliance reported they had only slight or no knowledge of the CCPA
- More than one-third (36%) of the 55% of respondents who knew about the CCPA reported they hadn’t started implementation of CCPA compliance in May 2020.
On the positive side, some technology companies that handle massive amounts of data, Microsoft and Intel for example, have stepped up to the plate with robust privacy programs.
A privacy program is a competitive differentiator. It’s something an organization can be open and proud about. If you want to be truly privacy compliant, and you earn consumer trust, create a ‘trust center’ online – and be open and transparent about your privacy activities.
Applying the rights across the US isn’t really a privacy strategy move for companies, it is an operational move for companies. The way databases and operations happen, it’s difficult to carve one group of people out of your entire database in the US. To make it efficient, roll it out across the whole nation, and across the whole world.
Listen to Serious Privacy podcast episode 22 – CCPA: Aiming for a Moving Target
This podcast episode originally aired on July 7, 2020, just a few days after the beginning of the enforcement of the California Consumer Privacy Act (CCPA).
Learn More About California Consumer Privacy Act Compliance
Get your Guide to the California Consumer Privacy Act. Learn how to build, implement, and demonstrate CCPA compliance.