Blog

Better Late than Never: While Organizations Struggle to Comply with the California Consumer Privacy Act on Time, Ignorance of the Law Is Not an Option

By Michael A. Shapiro, Attorney at XPAN Law Group, LLC

The California Consumer Privacy Act (CCPA) enacted last summer is the first comprehensive U.S. privacy law which creates broad rights for consumers in California and parallel duties on businesses regarding the use of private information.  Among the rights delineated by the CCPA, consumers can seek disclosure of what personal information about them businesses collect and store and whether such information is disclosed or sold to third parties, have the ability to stop the sale of personal information, and have the right to access their personal information. Cal. Civ. Code § 1798.100-120.  We discussed the provisions of the Act and how they compare to the EU’s General Data Protection Regulation (GDPR) in an article published last year.

Preparing for the CCPA, which goes into effect on January 1, 2020, has been a major challenge for companies doing business in California.  The Act, hastily passed in June of last year to avoid a referendum on a ballot initiative, has already been amended but remains in many respects vague and ambiguous.  More amendments are pending before the California General Assembly and the Attorney General is yet to issue regulations that might clarify some of the Act’s provisions and corresponding compliance obligations.  Furthermore, for many domestic companies, the CCPA has been the first foray into privacy and data protection compliance.

The International Association of Privacy Professionals and One Trust recently conducted a survey of more than 280 organizations, mostly in the United States, to gauge their preparedness for the CCPA.   The survey revealed that although most organizations are making strides to comply, they are more unprepared than ready to implement the new law.  When asked to rate their preparedness on a scale of 0 (have not started to prepare) to 10 (fully prepared) 26% responded that they are highly prepared (7-10 on the preparedness scale), 39% indicated medium preparedness (4-6 on the scale), and 34% indicated low preparedness or no preparedness at all (0-3 on the scale).  Although 80% of all respondents expect to be compliant by July 1, 2020, when California Attorney General will begin to enforce the statute, a quarter of the organizations that indicated a low preparedness level have no timeline or don’t know when they expect to be in compliance.  

According to the respondents, lack of time/bandwidth and complexity of the law are the two main obstacles to compliance, followed by lack of budget, lack of knowledge, training and tools, and lack of internal support from leadership. The organizations struggling with the first two compliance barriers are less likely to be prepared at this time.  Given that consumers’ rights under the CCPA access to personal information, disclosure of data collection and processing practices, erasure and portability echo those of the GDPR, it is not surprising that over two thirds of the respondents are somewhat leveraging their previous GDPR compliance efforts in trying to become CCPA-compliant.  

Concern about sanctions and enforcement actions is one of the motivating factors for compliance.  Under the current version of the statute, consumers will be able to bring civil actions, including class actions, in limited situations: if their non-encrypted or non-redacted personal information is subject to unauthorized access and exfiltration, theft, or disclosure due to a business’s failure to implement and maintain reasonable security procedures. Cal. Civ. Code § 1798.150(a)(1). Under a pending amendment, however, a private right of action would be expanded to all violations of consumer rights. The CCPA also creates a right in the California Attorney General to impose fines for violations of the Act. Cal.  Id. at § 1798.155(b).  

In addition to potential lawsuits and monetary penalties, non-compliant organizations face a significant reputational risk in the market attuned to privacy issues.  Indeed, most survey respondents cited a risk to their company’s reputation as the primary motivator for the CCPA compliance. Furthermore, companies will require their vendors and suppliers to contractually certify compliance with the CCPA.  Thus, non-compliant organizations will face both regulatory penalties and breach of contract actions,  as well as competitive disadvantage in the vendor marketplace.   

Notwithstanding these concerns, 11% of the survey respondents are unsure whether the CCPA even applies to them.  Companies operating outside of California are often surprised to learn that the CCPA’s coverage is not geographically limited to the Golden State. For example, businesses that buy, receive, sell, or share personal information (which is very broadly defined) of more than 50,000 California residents are subject to the Act.  Cal. Civ. Code § 1798.140(c),(g),(o). This “extraterritorial” application of the CCPA is becoming the standard jurisdictional approach in data protection regulations (see, e.g., GDPR Art. 3(2) applying the GDPR beyond the EU’s borders).  

Given a potential exposure, can your organization afford to remain ignorant? The answer is No.  You must take stock of data processed in your company,  assess whether the CCPA potentially applies to your organization, and consider the risks of non-compliance.   

The first step is to conduct a regulatory impact analysis:  does your company fall under the jurisdictional reach of the CCPA? If yes, what is the extent of the company’s exposure? This information will drive how your company should prepare for the CCPA and will provide the much needed support within the organization to have the company devote resources to obtain compliance. Next, your company should harness what it is *hopefully* already doing for privacy and security to comply with the CCPA. Do not reinvent the wheel: compliance with the CCPA starts with implementing good data privacy and security practices.  To the extent that you are already doing that, map your activities to the CCPA.

Finally, waiting is not an option: you need to do it now, before regulators and class action lawyers start knocking on your door. Even though the CCPA is still in flux with the pending amendments and forthcoming regulations, it is not going away.  And, in privacy and security, luck favors the prepared!

*****

Nothing contained in this blog should be construed as creating an attorney-client relationship or providing legal advice of any kind. If you have a legal issue regarding cybersecurity, domestic or international data privacy, or electronic discovery, you should consult a licensed attorney in your jurisdiction.