Ready or Not, Here Comes California’s Data Privacy Law
 

Businesses worldwide are facing a July 1 compliance deadline as enforcement of the California Consumer Privacy Act (CCPA) kicks in. The law sets some of the tightest data protection regulations in the U.S., and it affects many companies outside California as well as those based within the state. In fact, some experts say CCPA may have the same kind of impact on many businesses that the state’s emissions standards have had on automakers worldwide.[i]

California decided to push ahead with a July enforcement date despite pleading by a coalition of business organizations, which had requested the state hold off until January 2021 to help companies impacted by COVID-19 lockdowns. “This reality will significantly delay businesses in crafting their ultimate CCPA compliance programs,” the coalition said in a letter signed by 66 business groups, ranging from the American Council of Life Insurers to the Toy Association. [ii]

CCPA affects any organization that collects personal information and does business with consumers in California. The law defines “doing business” as generating $25 million of more in revenue, working with over 50,000 data points—households, individuals or devices—or generating more than 50% of revenue from the sale of data.[iii] This broad range of criteria means that even a startup that sells email lists may fall under the law’s oversight. Companies that don’t comply face penalties of up $7,500 for each violation, which could add up to millions or even billions of dollars for a company with data on many California consumers.[iv]

CCPA’s Costs and Productivity Impact

The data privacy law gives consumers four broad rights over their data: disclosure, deletion, opt-out and nondiscrimination. Organizations have to inform consumers why they are collecting their data and what kinds of data they are collecting. The rights to deletion and opt-out allow users to request that their data is erased and refuse to let their data be sold, while non-discrimination bars organizations from treating those consumers differently.

“There are numerous impacts for business that translate into greater drains on productivity and financial costs,” said Garth Landers, Mimecast Director Product Marketing, Archiving. He pointed to an impact assessment performed by the state, which estimated that slightly over half the companies affected would spend between $100,000 and $1 million on compliance, and nearly one in five would spend over $1 million.[v] Landers noted that the assessment was performed nearly a year ago and “there is no guarantee that the firms polled were cautiously optimistic, or even had a sense of the scope that CCPA entails.”

“CCPA requires significant planning and reporting efforts by organizations to determine what data about consumers they have, where it is located, their reason for retaining it, and how long they need to retain it,” Landers said. “In addition, organizations have to plan accordingly for planned data destruction/retention and the process/technical means for carrying that out. The amount of time, effort and personnel to document all of this must be considered as well.”

“Personnel and staffing around privacy may not have been a concern for some organizations in the past—but now, many of them will have to determine the level of investment and hiring that they need,” Landers added.

CCPA Data Privacy Requirements Are a Moving Target

The scope of the law has been a moving target. The CCPA was originally passed in June 2018 and went into effect on January 1 2020, with July 1 2020 set as the date for enforcement of compliance.  But many of the precise data privacy requirements for businesses were defined only recently, in rules developed by the California attorney general’s office. The final rules weren’t published until June 1.[vi] They added biometric information such as fingerprints and retina scans to the data covered by the law, and provided more guidance about the opt-in and opt-out notices that businesses must post to inform consumers about which data is being collected and why.

Some companies may find that the work they’ve already done to comply with the European Union’s General Data Protection Regulation (GDPR) will help smooth the path to compliance with the CCPA. “The good news for many companies that have international business is that a lot of this will be similar to the kinds of preparations that they made to come into compliance with the GDPR,” said Josephine Wolff, assistant professor of cybersecurity policy at Tufts University. Some the CCPA’s requirements parallel items in the GDPR, such as the need for organizations to track which data they collect and offer an opt-out, she noted.

Based on the experience with GDPR, it’s possible CCPA won’t have a seismic impact on consumer behavior, even if it does inflict pain on companies getting ready for compliance, said Wolff. “I just don't know whether all of a sudden millions of people are going to rush to opt out of everything,” she said. “Most people will just sort of continue to use the Internet and allow these companies to use their data in the same ways that they always have.”

Much like California’s stringent auto emissions requirements raised the bar for automakers worldwide, CCPA may help to set the data privacy standard for many businesses outside the state, experts say. Wolff noted a potential parallel with breach notification requirements. No federal data breach notification law has passed, but most states have enacted their own, and most organizations moved to comply with the toughest standard—California’s, she said. Tech companies will either lobby for a federal law to supersede CCPA, or they will adopt CCPA as their standard, she predicted.

Data Protection Starts With An Audit

To prepare for compliance, organizations should do a data audit, if they haven’t already, said Wolff. “Figure out what data you’re collecting, who it’s going to, who you're sharing it with, how it's being protected,” she said. “That's an important prerequisite.”

Disclosures and privacy policies in plain English are also important features in CCPA compliance. “Not just the boilerplate document that says we collect a lot of data and we use it to improve our service, but a document that actually says something,” said Wolff. She suggested working with your legal department to create the required opt-in and opt-out mechanisms, and make them clear and accessible.

Organizations should examine the ability of their internal audit processes to react to governance events such as the CCPA, with a focus on continuous improvement and refinement, said Landers. “New business units, new technology adoption, new products and services all have an impact.” He suggested that organizations take several key steps, including: 

• Conduct a content inventory: It’s important to understand the scope of relevant enterprise data.
• Leverage information governance practices and technologies: Data security and privacy requirements share some similarities with information governance efforts such as e-Discovery, which require organizations to find content relevant to an individual or transaction by searching huge amounts of digital data to meet a tight deadline. An enterprise archive that collects and preserves mission-critical data is the foundation of data privacy governance efforts. The next layer is leveraging a case review application to run searches, apply legal holds and perform extracts and exports. Good information governance also requires the necessary people, collaboration and corresponding processes—such as enforcing retention policies—to succeed in the long run.
• Plan data minimization: Data privacy laws will make organizations question why they retain information, and for what purpose. The larger the surface area, the greater risk of a data breach and the larger the opportunity for discoverable data during litigation and other governance events. Organizations should be systematic with retention policies: collaborate as necessary to create them, make sure they are consistently applied, and choose the right archive technology to enforce them.

The Bottom Line

CCPA will have a significant impact on many organizations—but it’s not too late to get ready. Start by assessing the consumer data that you store and how you use it, then build a system of policies and technology that can ease your way to successful compliance. 

[i] "California sees push on new data privacy," Roll Call

[ii] “Request for Temporary Forbearance From CCPA Enforcement,” Insights Association

[iii] “In 2020, Data Privacy Laws will Blanket the U.S. From Coast to Coast” Cyber Resilience Insights

[iv] “Top 5 Operational Impacts of CCPA—Part 5: Penalties and Enforcement Mechanisms,” International Association of Privacy Professionals

[v] “Standardized Regulatory Impact Assessment: California Consumer Privacy Act of 2018 Regulations,” State of California Department of Justice

[vi]  “Proposed Regulations Package Submitted to OAL,” State of California Department of Justice