Whither now CCPA?

The California Consumer Privacy Act (CCPA) was enacted in 2018, took effect January 1, 2020, and enforcement began July 1, 2020 as scheduled, but not without uncertainty. According to the National Law Review, “Now, we are seeing reports that enforcement in fact began as promised, with companies receiving compliance notices before the July 4 holiday weekend.”

That enforcement has begun on schedule is surprising, as the National Law Review notes:

There were questions as to whether enforcement would begin on July 1, 2020. During the ramp-up period, the California AG issued regulations governing the implementation of the CCPA. Confusingly, those regulations were modified several times. It was not until June 1, 2020, that the California AG finalized the regulations.

The regulations must now undergo a 90-day review by the California Office of Administrative Law, after which their final text will be filed with the California Secretary of State. Only then—around the end of August—will the regulations become enforceable. Thus, while CCPA is itself in effect, the status of its regulation has been a matter of significant procedural uncertainty.

So, where does this leave those of us who must ensure our organizations comply with the CCPA?

It may not be finalized, and it may be among the most recent new data privacy and protection regulations, but CCPA is not unique. Global Compliance News recently surveyed 52 countries and found:

• Out of 52 countries surveyed, the US and Saudi Arabia are the only ones that do not have omnibus data privacy and security laws in place. 42 of 52 countries surveyed have sector-specific requirements.
• Many countries with long-established data privacy laws are in the process of making changes to these laws: 41 of 52 countries surveyed anticipate changes in the next 12 months.
• Data privacy and security regulators are becoming more aggressive and tougher on businesses with poor data protection practices, and are aligning themselves with counterparts around the globe. We expect higher penalties to apply on noncompliance moving forward.
• While regulators are stepping up enforcement, they will focus their efforts on more pressing aspects such as data security and incident response practices, online consent practices and transparency requirements, excessive collection and processing of online personal data, and data residency requirements, among others.
• Jurisdictions will continue to adopt more expansive data breach notification requirements. Our data shows that 41 of 52 countries surveyed already require the notification of personal data security breaches.

No matter where your organization is and who it does business with, it will likely be subject to one or more of these data protection regulations now, and, as time goes on, the regulations are almost certain to be more constraining and the cost of noncompliance more expensive.

So, that’s the regulatory side. But I like to think the reputation side of the equation is just as important. Who wants their customers, employees, shareholders, and other stakeholders to find out their organization doesn’t care enough about them to protect their data? We’ve seen over and over what this can do to businesses and the people who run them.

The senior management of organizations around the world need to accept that protecting data is a cost of doing business. It’s not a nice to have; it’s a must have. And I’m not just writing this as a representative of one of the largest data security firms. I’m writing it as a consumer, an employee, a shareholder, a parent, and a citizen of California, the US, and the world. The global cacophony of regulations is in response to organizations being reckless with our data.

Whether CCPA is immediately enforceable or not shouldn’t matter to organizations that value their customers, employees and partners. It’s the right thing to protect their privacy and their data. And there are many other regulations currently in place to enforce breach notifications and levy fines if your business isn’t a good steward of privacy and sensitive data. We can also be sure that California Attorney General, Xavier Becerra is going to see CCPA through. He knows it is important to California citizens. We also know for sure that a baseline place to start for all privacy and data breach regulations is to establish appropriate data discovery, access management and data protection best practices.

And to specifically address the CCPA, please read our “How to Prepare for the California Consumer Privacy Act” white paper.