The day we’ve all been waiting for is finally here. Today, the California Consumer Privacy Act (CCPA) is not only fully in effect, but also a fully enforceable regulation. The state can now take legal action against companies that violate privacy regulations — and fines can start building up.
Not everyone welcomes enforcement with open arms. As recently as April, the Association of National Advertisers, backed by around 60 like-minded companies, pushed California Attorney General Xavier Becerra to extend CCPA’s enforcement to January of next year, noting disruptions caused by the COVID-19 pandemic.
The AG, however, cited the pandemic as further reason to keep the July 1, 2020 date on the books. “We encourage businesses to be particularly mindful of data security in this time of emergency,” Becerra wrote, making it abundantly clear that the July 1 enforcement date was not up for negotiation.
While the same group of advertisers recently asked the California Office of Administrative Law (OAL) to reject the AG’s proposed regulations that are in tandem with CCPA, the OAL ultimately took the side of the AG. Becerra’s office now has the authority to bring an enforcement action based on any CCPA violation that could theoretically date back to January 1 of 2019.
The winding road to CCPA enforcement
Over three years ago, Alastair Mactaggart’s group, the Californians for Consumer Privacy, drafted a bold ballot initiative — a more restrictive version of today’s CCPA that included a more generous private right of action and strong enforcement provisions. Once the group had obtained the necessary signatures to qualify for California’s November 2018 referendum, lawmakers and lobbyists wasted no time drafting an alternative.
Within a week, Mactaggart had withdrawn his original initiative in favor of a modified version of CCPA – which was subsequently passed by the state House and Senate with unanimous votes. Assembly Bill 375 landed on Governor Jerry Brown’s desk, and he signed it into law on June 28, 2018.
Turning CCPA into a legislative bill versus a ballot initiative meant that California lawmakers could amend the state law — a huge benefit for them. It also meant that the California AG could provide regulations to help companies better understand their compliance requirements. Both occurred, with interested lawmakers enacting multiple amendments for exemptions, and the AG providing several rounds of draft regulations.
In some ways, the draft regulations went above and beyond the requirements of the CCPA — including record-keeping requirements and how to calculate the value of consumers’ data. Despite vocal criticism that the regulations created more confusion than clarity, the AG will have the ability to start enforcing CCPA today, even though the regulations have not been officially finalized.
Setting the stage for CPRA
The past two years have shown companies’ dissatisfaction with the CCPA both in terms of its provisions and its enforcement date. Watching all of this take place spurred Mactaggart’s group to further action, and they created a new ballot initiative in the fall of 2019 to amend CCPA and ultimately strengthen it.
As Mactaggart stated in the announcement for CCPA Version 2.0 — now the California Privacy Rights Act, or CPRA, “During this time, two things have happened: First, some of the world’s largest companies have actively and explicitly prioritized weakening the CCPA. Second, technological tools have evolved in ways that exploit a consumer’s data with potentially dangerous consequences. I believe using a consumer’s data in these ways is not only immoral, but it also threatens our democracy.”
Most recently, the Secretary of the State of California declared that CPRA had enough votes to qualify for the general election ballot this coming November. If enough California citizens say yes to this initiative, then CPRA would significantly modify and increase the consumer privacy rights of state residents.
New provisions include consumer data rights to correction, limitations on the use and disclosure of “sensitive personal information,” and restrictions against the sharing and sale (a hotly debated term in CPRA) of personal information. This would put the Golden State’s privacy regulations on par with Europe’s groundbreaking General Data Protection Regulation (GDPR).
What companies are doing to ensure CCPA — and CPRA — compliance
When it comes to CCPA enforcement, businesses have a wide range of confidence — and competence — in achieving CCPA compliance. For any business that falls under CCPA, there are five broad areas that they need to address:
- Map and inventory customer, consumer, employee, and sensitive personal data
- Create an automated and scalable solution to fulfill data privacy rights
- Define breach thresholds and privacy team workflows for breach response
- Validate and test everything, from access requests to data sharing to security policies
New Privacy Regulations = New Opportunities
Despite today’s “due date” for enforcement, it may take years to understand the full implications of the CCPA, its attached regulations, and the coming CPRA. Much of this will play out in the state courts as companies fall under the scope of this law.
In the meantime, privacy teams can leverage CCPA as an opportunity to shed light on why their function is essential — not just for the sake of compliance, but also because it’s good business. Consumers and employees alike want to interact with organizations that create good products and services while also taking effective stewardship of their data.