What will enforcement of the California Consumer Privacy Act (CCPA) look like when the deadline arrives July 1?
For one, companies can expect aggressive enforcement from California Attorney General Xavier Becerra. That contrasts with the enforcement environment for the last major personal data privacy legislation, the European Union’s General Data Protection Regulation (GDPR), which took effect in May 2018.
Becerra has said publicly he disagrees with GDPR regulators’ initial practice of issuing warnings, rather than fines and enforcement actions, said Dominique Shelton Leipzig, a Los Angeles-based attorney who co-chairs law firm Perkins Coie’s AdTech Privacy and Data Management practice.
“He’s made it clear that he wants to learn from the GDPR’s experience, that it did not have enough teeth at the beginning, that there were not enough enforcement actions,” she said. “He’s been very cognizant of the criticisms of (privacy) regulators in Europe.”
Becerra has remained committed to the July 1 enforcement date, despite the coronavirus pandemic and a request by more than 60 business groups to push the enforcement date back to Jan. 1, 2021.
The first wave of enforcement actions, Shelton Leipzig said, will be on issues on which Becerra’s office can make a statement.
Children’s privacy a top priority
A coronavirus-related alert Becerra issued in April advised the public that children’s privacy rights would continue to be protected under the CCPA during the pandemic.
July 7 Webcast: The California AG is ready for CCPA … are you?
Join Compliance Week and Microsoft for a free CPE Webcast on July 7 at 2 p.m. ET on practical post-enforcement guidelines from a regulations compliance perspective as well as a glimpse into how Microsoft is preparing for enforcement with their own solutions.
“Whether it’s our children’s schooling, socializing with family and friends, or working remotely – we are turning to mobile phones and computers as a lifeline. With such a dependency on online connectivity, it is more important than ever for Californians to know their privacy rights,” he wrote.
Consumer CCPA-related complaints to the AG’s office will also likely spur enforcement actions, but those complaints have not yet been made public.
Companies that are flouting the law will be the first in line for enforcement actions, Shelton Leipzig said, particularly if they cannot show they attempted to comply with the law.
“Starting someplace is better than starting nowhere,” she said.
“I’d be especially concerned if I was a company that collects sensitive data” but had done little to comply with the law, predicted Philippus von Nerée, head of operations at Semasio, a German-based marketing insight and targeting company that grew up under strict, local privacy regulations and the GDPR. “The better you prepare, the better you document, the easier it will be to show you made a good faith effort (to comply).”
“The safest thing to be is a zebra in a herd of zebras,” added Dan Clarke, president of IntraEdge, which has developed Truyo, an Intel-backed GDPR and CCPA compliant data privacy platform. “You’ve got to show your company has made an effort to comply. The last thing they want to see is that you’ve done nothing.”
A CCPA-related lawsuit against TikTok, filed on behalf of a minor, alleged the Chinese company mishandled the data of the minor.
Digital marketers, data analysts beware
One industry that might be in the AG’s crosshairs with the CCPA is digital marketing. Digital marketing companies are called data brokers as defined under a different California state law, and they have to register with the AG’s office every year. Registered data brokers are more likely to be compliant with the CCPA than those that are not, but the industry’s business model of collecting and selling data to third parties will likely put their data collection practices under the AG’s microscope.
Already, a lawsuit in which data broker Bombora alleged CCPA violations by its competitor ZoomInfo could provide clues to potential enforcement actions by the California AG.
Big Data users are another likely target, Shelton Leipzig said. Any company or industry that sorts and analyzes large data subsets could be asked to prove how they protect consumers’ privacy. Areas of interest within Big Data include predictive analysis, business intelligence, Software as a Service (SaaS), and facial recognition, among others.
The AG’s office has also posted consumer-facing CCPA notices and made public statements on CCPA priorities for industries as varied as technology platforms, social media companies, financial institutions, utilities, telecommunications, and connected cars.
There are already several CCPA-related lawsuits filed in California courts that the AG’s office will likely be monitoring. California-based consumers filed lawsuits against Zoom and Houseparty alleging the companies mishandled their personal information.
So, your organization is not prepared for the CCPA …
You’re not alone. A recent survey of corporate and compliance professionals revealed many companies are unprepared for the CCPA.
Nearly a third (29 percent) of 1,500 professionals who responded to a recent survey by TrustArc, a compliance and risk management vendor, reported they have just started preparing for the CCPA. The survey found more than 20 percent of respondents said they either did not know or were unlikely to be compliant with the law by July 1. Just 14 percent of respondents said they have completed their CCPA compliance.
According to the CCPA, the law applies to any company doing business in the state of California “that earns $25 million in revenue per year, sells 50,000 consumer records per year, or derives 50% of its annual revenue from selling personal information.” Only California-based consumers can request to opt out of a business’ data collection practices, request that their personal information be deleted, or file a lawsuit alleging mishandling of their personal data. If asked by the AG’s office, companies will have to prove they were responsive to such requests. Companies must disclose to the AG’s office the value of the data collected to the business.
That still covers an awful lot of companies, and many are still trying to figure out how to respond to the CCPA’s numerous requirements—despite the law taking effect Jan. 1.
Good news for companies that have complied with the GDPR—90 percent of their preparations will help them comply with the CCPA, said Nerée.
“The tracking of user requests in the CCPA is new,” he said, and even GDPR-compliant companies for whom the CCPA applies will have to build a system to respond to and track opt-out and data delete requests from California-based consumers. The CCPA also has a requirement that companies assign a value to the data they collect, which is also missing from GDPR regulations.
For other corporate leaders attempting to comply with the CCPA, the first thing to do is to understand how your organization collects, stores, monitors, and uses the data it collects.
“The challenge that we are seeing more and more is a fundamental awareness of data,” said Stephen Cavey, co-founder of Ground Labs, a vendor that develops data management and regulatory compliance technology. Businesses should ask themselves: What data are we collecting? How are we storing it? Are we prepared to handle opt-out requests?
There are two ways to figure that out, Cavey said. One is the manual or assumption-based model, where all department heads are asked about their data collection practices. That model is based on the assumption the department heads know exactly where all of the data their organization collects is stored and how it can be accessed.
This model often overlooks many kinds of data that is collected, Cavey said. A more thorough approach involves hiring a consultant to complete a data security survey. “The findings can be absolutely breathtaking,” he said.
As an example, a telecommunications client of Ground Labs had a secure link to its bank, which it used to send a daily reconciliation of its finances. The company had excluded the reconciliation from its data security survey, guessing (incorrectly) that there was no personal data transmitted in the reconciliation reports. Turns out the company sent more than 100 million pieces of personal information on its customers to the bank, which the bank then uploaded into its system. All of that data had to be accounted for in a revised survey.
Then there is the issue of distributed data, exacerbated by the work-from-home phenomenon sparked by the coronavirus pandemic. Employees with a weak WiFi signal might download a document to work on it, rather than remaining linked to their company’s secure network. There’s personal data that is shared with third parties, consultants, and vendors that needs to be tracked. Contracts with those third parties should include clauses that address how personal data should be handled.
“Not unless you do a proper assessment of your data will you truly understand the scope of the problem,” he said.