Challenging CCPA Non-Compliance

A recent survey of companies concerning the California Consumer Privacy Act (CCPA) published in the media found that 56% do not expect to have achieved CCPA compliance by January 1, 2020, when the law goes into effect. The number is not particularly surprising as a similar percentage of companies were expected to not be ready for GDPR compliance when it went into effect in May 2018. However, the number is still concerning as data privacy at businesses continues to hold the attention of consumers, government officials and the media.

Since the new California privacy law was passed, fourteen months have elapsed. Businesses have four months remaining to complete their CCPA preparations before the effective date, and as much as ten months before the Attorney General begins enforcement. There is still more than enough time for businesses who operate their compliance program efficiently to start now and be ready by January 1, but the window is narrowing. Businesses had two years to prepare for the General Data Protection Regulation (GDPR) which now governs data privacy in the European Union.

Compliance with CCPA is probably trickier than with most laws because the California legislature is still writing it. There has already been one CCPA amendment passed in the first few months after it became law, and there are a handful of amendments currently awaiting (as of August 26, 2019) a Senate floor vote after a version of them already passed through the California State Assembly. There are than a hundred Assembly bills in front of them in the Senate Daily File, which means it could very well be several days until the California Senate takes them up for a floor vote.

The California Attorney General is also still writing the regulations that will be used to enforce the CCPA, clarify ambiguities, and provide businesses guidance with respect to the procedures that they should follow. The draft CCPA regulations should be published at some point in the fall, according to the AG’s announced timeline.

The amendment that passed last year (SB1121) moved the enforcement date back from January 1, 2020 up to six months depending on when the California Attorney General publishes the final CCPA regulations. However, the effective date remains January 1st and the law did not explicitly move back the start to the private right of action. It is the January 1, 2020 date, not the enforcement date, which was the subject of the survey.

The survey asked the participants why they would not be compliant with the CCPA, and received a number of different answers:

– 35% said their primary reason is the cost of becoming compliant

Cost is an understandable consideration in every compliance program. However, the size of privacy fines issued by government regulators are increasing and the prospect of a significant fine for a privacy violation should at some point tip the scales as a deterrence mechanism. With the fines of British Airways and Marriott under GDPR expected to exceed $100 million, and Facebook paying $5 billion under the Federal Trade Commission settlement, organizations cannot expect to avoid fines of this magnitude without either increasing their budget or significantly decreasing other compliance initiatives. The high percentage of respondents selecting this answer suggests that compliance budgets in this area are simply not growing at the same pace as regulatory changes.

– 32% stated they were waiting to see how the CCPA will be enforced

The wait and see approach might make sense if it were limited to those areas where the Attorney General was going to issue regulations this fall. However, the private right of action with respect to data breaches is still scheduled to go into effect on January 1, and businesses can not afford to delay their compliance efforts in this area.

Additionally, delaying plans to improve data privacy more than a year while awaiting the outcomes of AG enforcement could be a big miscalculation given the current atmosphere around privacy. If a regulator or the media decides to turn its attention to a business’ privacy practices, it could generate significant negative publicity.

The one aspect of the new California law that favors this approach is the thirty (30) day cure period. Businesses that recieve a notification of suspected noncompliance by the California Attorney General and will have 30 days in order to cure the violations before an enforcement action can be brought. For the data subject access rights in particular, this seems

– 17% said they didn’t think their organization is large enough to face fines

The problem with this thinking is that an organization may be small in size yet hold particularly sensitive data which could draw the attention of the California Attorney General. Organizations which are small yet work with larger companies may also become the target of investigations. Both have been seen in the early enforcement actions under GDPR by the EU Data Protection Authorities (DPAs). While they have a number of investigations running concerning data privacy practices at large tech companies, the DPAs have also concluded investigations into a number of smaller companies in their first year as well. As a result, it would not be surprising if the CaAG conducts audits of a few small businesses in the first year following consumer complaints in order to send a message to all covered businesses that they may be subject to an enforcement action if they are not in compliance with the law.

The other aspect of the CCPA that is concerning about this selection is the private right of action for consumers, which does not require the AG to pursue an enforcement action. Instead, if a company suffers a data breach that exposes unencrypted personal information of California residents, a consumer who has their personal information exposed may hire an attorney and pursue a class action lawsuit against them. The CCPA permits the consumer to seek both statutory damages in the amount of between $100 and $750 per person per incident, as well as reasonable attorneys’ fees for their legal counsel. This section was not delayed by SB1121, and allows penalties which would be staggering to many smaller businesses.

– 11% said the law is new to them and they are unsure of the requirements

The CCPA has now been on the books for over a year, and the one year anniversary of the SB-1121 amendments is coming up. If your organization falls into this camp, it is important to start taking action on data privacy. There is still time to take appropriate action, but that time is rapidly dwindling.

– 4% believe the law does not apply to them.

The scope of the CCPA is not nearly as broad as the European Union General Data Protection Regulation (GDPR), so it is possible that these individuals are right. The CCPA only applies to covered businesses that meet the revenue / data threshold and does not apply to nonprofit organizations. However, if your organization believes that the law does not apply simply because it does not have $25 million in revenue, it is crucial to also make sure that your organization does not hold personal information on more than 50,000 consumers, households or devices.