Legacy of CCPA: A blueprint for prioritizing compliance

The law expected to rein in the questionable data protection practices of Silicon Valley tech giants has resulted in a fine against a company just once, when cosmetics retailer Sephora was penalized $1.2 million in August for failing to comply with customer data sale notification and opt-out request requirements.

Not quite the bite people were expecting.

And yet, the expanding U.S. data privacy legislation landscape is better for this approach. When four additional states—Colorado, Connecticut, Utah, and Virginia—begin enforcing their respective privacy laws this year, they have a blueprint to follow for what these kind of bills should prioritize: compliance.

What good are eye-watering financial penalties without guidance and requirements to reform the deficiencies underlying the violations? While the CCPA has lacked in the former, it has more than made up for it regarding the latter.

California Attorney General Rob Bonta has made liberal use of the CCPA’s 30-day cure period, which allows businesses flagged for apparent violations to work to ensure they meet the law’s requirements. His office has announced enforcement sweeps regarding online retailers, mobile apps, customer loyalty programs, and more; in each case, companies notified of noncompliance have remedied their alleged issues within the 30-day window. All but Sephora.

Though the CCPA’s 30-day cure period is set to expire this year following amendments to the law made as part of the California Privacy Rights Act, which took effect Jan. 1 and is still undergoing rulemaking, it’s hard not to acknowledge the results as a success. Bonta in July 2021 praised “great progress” made under the law despite its lack of an enforcement record at that time and had proof to back it up in the examples of resolved deficiencies provided.

As new state privacy laws continue to pop up across the country, few—if any—will come close to the strict protections laid out in the CCPA. Even a potential federal privacy law is likely to be deemed weaker, which will no doubt lead to California resisting any notion of preemption regarding its landmark legislation.

Still, lawmakers can learn from the first three years of the CCPA and what its accomplished. Working with companies to achieve compliance might not make headlines like a nine-figure penalty, but it does help to ensure the purpose of the law—actual data privacy compliance—remains the priority.