The California attorney general recently hinted at leniency for companies making good-faith efforts to comply with the soon-to-be-in-force-but-still-pretty-confusing California Consumer Privacy Act (CCPA), a proclamation that drew criticism from a prominent figure in the compliance community.
It was a rebuke that, in this view, did not fully take into consideration the speed at which practitioners need to understand and implement a law and accompanying regulations that are still in the process of being formed.
Though the first modern state data privacy statute was signed into law in June 2018, CCPA amendments were being made as recently as October. The public comment period on the accompanying regulations ended in early December, with more than a thousand pages of comments, concerns, and requests for clarifications submitted by businesses that will be impacted by the law that goes into effect Jan. 1, 2020.
To reassure affected organizations about the lack of clarity so close to the new year, California Attorney General Xavier Becerra told Reuters the state will “look kindly” on companies that “demonstrate an effort to comply.”
To industry pioneer Hui Chen, who literally wrote the book on corporate compliance while at the Department of Justice, the comment was just a continuation of a trend of enforcement authorities focusing on program design and intentions rather than results.
“Alas, once again #compliance is equated with efforts rather than outcome,” she tweeted in reaction to Becerra’s stance.
While we agree with the sentiment that the recent trend in FCPA guidance and comments from data regulators in Europe—that clemency will be granted to companies that break the laws but self-disclose and demonstrate good program design—is actually a step backwards in the evolution of compliance, we don’t think the Master Yoda approach (“Do. Or do not. There is no try.”) makes sense in the case of the CCPA.
The CCPA has been rushed from the start, and in the recent comments posted by the AG’s office, a number of entities subject to law asked the effective date of any final regulations be delayed far beyond the proposed enforcement date of July 1, 2020, out of worry they won’t have sufficient time to prepare.
In a recent survey conducted jointly by Compliance Week and ACA Aponix, just 21 percent of practitioners surveyed said they felt “very confident” they’ll be in compliance with the law on Day 1, while a combined 40 percent were either “uncertain” or “not confident at all” they’ll have a program in place by the effective date. Nearly two-thirds of respondents (62 percent) said the biggest hurdle they face with the CCPA is understanding it.
To us, the California AG’s comment about giving companies showing a good-faith effort the benefit of the doubt is simply an acknowledgement the process has been rushed. If he says the same thing two years from now, we’ll roll our eyes along with Chen. But for now, it seems like the right thing to do.