Countdown to the CCPA: Businesses Still Facing Uncertainty

With only months until the California Consumer Privacy Act  — set to become the most stringent and comprehensive data protection law in the US — comes into effect, uncertainty is still rife about the implications of the CCPA and how it will be enforced.

A step towards clarity was made last month when the California Senate blocked a bill that would have strengthened the law and potentially increased challenges for organizations. The failure to pass Senate Bill 561 means that:

• The threat of private litigation is reduced. SB 561 would have granted citizens the right to sue for all CCPA violations, even without the occurrence of a breach. With the bill’s failure, private rights of action are limited to actual breaches of data. Instead, it will be up to California’s attorney general to enforce the law — a win for businesses.
• The proposed correction period remains in place. SB 561 proposed eliminating a 30-day cure for alleged noncompliance with the CCPA. With that provision still part of the law, companies will have time to address purported violations before they are subject to fines or penalties.
•  Businesses can still seek the attorney general’s opinion. SB 561 would have eliminated a provision allowing businesses to seek guidance from the California attorney general on how to comply with the law. Instead, it would have been up to the AG to publish general guidance on compliance. SB 561’s failure is thus good news for businesses, which will not be challenged to interpret questions of compliance on their own.

Take Action Now

More amendments are expected before the CCPA takes effect on January 1, 2020, with some proposals still hanging in the balance. But businesses should start making preparations now to ensure compliance once the law takes effect.

Since one of the requirements of the CCPA is for companies to “implement and maintain reasonable security procedures and practices appropriate to the nature of the information,” organizations can start by:

• Developing written cybersecurity or data security policies that include effective ways to control access to information.
• Inventorying the data they hold, including where it is held and how it flows through the enterprise.
• Minimizing the amount of data being held and limiting its movement and the number of people and parties with access to it.
• Putting in place an efficient way to update software and “patches” to correct security vulnerabilities.
• Developing ways to detect data breaches and other cybersecurity events.
• Preparing written incident response plans that are regularly exercised and rehearsed.

Despite uncertainty about additional amendments, we know that the CCPA — like the European Union’s General Data Protection Regulation — will provide new protections for any “personal information” collected by businesses, including biometric, commercial, and geolocation identifiers. And while rights under the CCPA are only afforded to consumers in California, other states are expected to eventually adopt similar laws, making it imperative for organizations to have best practices in place before the end of the year.