[This article was originally published in VentureBeat on July 4, 2020]
Enforcement of the California Consumer Privacy Act (CCPA) began on Wednesday July 1, despite the final proposed regulations having just been published on June 1 and pending review by the California Office of Administrative Law (OAL). The July 1 date has left companies, many of which were hoping for leniency during the pandemic, scrambling to prepare.
COVID-19 appears to be shifting the privacy compliance landscape in other parts of the world — both Brazil’s LGDP and India’s PDPB have seen delays that will impact when the laws will go into effect. Nonetheless, the California Attorney General (CAG) has not capitulated on the CCPA’s timeline, with the attorney general’s office stating: “CCPA has been in effect since January 1, 2020. We’re committed to enforcing the law starting July 1 … We encourage businesses to be particularly mindful of data security in this time of emergency.”
With the CCPA being one of the most demanding pieces of privacy legislation that some companies have ever faced, compliance has understandably lagged. In 2019, different estimates placed the percentage of organizations that would be ready for the CCPA by Jan 2020 somewhere between 12% and 34%. A recent poll by TrustArc revealed that as of June 2020 just 14% of companies were completely done with CCPA compliance, while another 15% have a plan but haven’t started implementation. This leaves an additional 71% of companies whose plans for CCPA compliance are unaccounted for. These numbers, while large, might not be all that surprising as only 28% of firms were compliant with GDPR over a year after it went into effect, with companies greatly underestimating what it would take to be compliant.
What should companies expect next?
Although the CAG’s ability to take enforcement actions is now in effect, companies can be held liable for breaches of the law that occurred earlier in the year. Additionally, consumers have been able to take legal action against non-compliant companies since the beginning of the year, with at least 19 lawsuits having been filed since Jan 1, 2020. These lawsuits illustrate the circumstances under which enforcement can take place as well as the potential compliance blindspots companies might face. Companies also face the prospect of new California privacy legislation in the form of the California Privacy Rights Act of 2020 (CalPRA or CPRA), colloquially referred to as CCPA 2.0. The initiative has collected over 900,000 signatures and is expected to be on the November 2020 ballot, with 88% of Californians supporting its passage. Although this bill is not expected to take effect until January 1, 2023, organizations lagging behind on CCPA compliance will likely struggle to meet their obligations under the CPRA as well.
What should companies behind on CCPA compliance be doing?
Companies that are just now starting to implement their compliance programs should do their best to align themselves with the final regulations that have been sent to the OAL. While there’s no silver bullet to doing this, below are some considerations worth taking into account:
Operationalizing the CCPA at scale requires a serious commitment to security. The CCPA has formally made clear that the era of security as an afterthought is over. Although the legislation is fairly agnostic about the types of security frameworks and controls organizations will have to deploy to ensure CCPA compliance, it’s apparent that satisfying the functional requirements of the CCPA will require developing comprehensive data discovery and data security programs organization-wide. For example, the ability to provide accurate disclosure notices at collection or within privacy policies, as well as the ability to process consumer requests and reduce breach risk all implicitly require companies to understand the categories of data they ingest. Companies will also need to know how this data is used, where it’s stored, and who has access to it. This will often require building consistent security processes with the help of tools like privileged access management, securely configured firewalls, and application security controls like data loss prevention. While it’s true that strong security practices alone aren’t enough to operationalize CCPA compliance, companies who are already complying with one or more privacy regimes or who otherwise have mature information security programs will likely find compliance easier.
Continuous compliance requires clear ownership within your compliance program. While IT and security will form the bedrock of an organization’s ability to comply with the CCPA, it may not be the case that IT or security should own the entirety of your organization’s compliance initiative. Your organization’s structure and the business purpose served by consumer data collection should inform who the relevant stakeholders will be. Clearly delineating who’s responsible for which aspects of your organization’s compliance program will be critical to making sure your program makes sense and will scale well as the privacy landscape continues to evolve.
Make your compliance program future-proof. While no one in your organization likely has a crystal ball, you don’t exactly need one to see that privacy is the future and that investing in consumer privacy today is a smart decision. Despite stalled privacy legislation stateside and abroad, the GDPR, CCPA, and potentially the CPRA will continue to serve as bulwarks that future legislation will aspire to. This means that should your organization limit itself to simply satisfying CCPA requirements, you’ll likely be playing catch-up as you suddenly find the privacy landscape maturing. Aiming to have your security and compliance programs scale to ensure the same rights and protections across your entire customer base will ensure you stay ahead of the game.