The CCPA Is Finally Here. What’s Next for Companies Doing Business in California?

The California Consumer Privacy Act (CCPA) came into effect on January 1, 2020. In the preceding months, companies scrambled to put a CCPA compliance framework in place amid uncertainties over new data protection regime and unfinalized regulations.  However, having survived the dreaded deadline, now is not the time for companies doing business in California to breathe a sigh of relief.

As the CCPA data subject requests start rolling in, the first months of the year will be the time for the organizations to test their newly developed compliance processes and procedures and assess new privacy metrics. Going forward, a successful privacy compliance program will require ongoing monitoring, assessment, and nearly continuous maintenance and improvement.

Although the Attorney General is not expected to begin enforcement of the CCPA until July 1, 2020, he promised to monitor for potential violations in the first six months that involve sensitive and critical data of a large number of California residents.  Furthermore, the Act does not prohibit the Attorney General from brining an enforcement action after July 1 based on a pre-July 1 violation.  In addition, consumers who suffer a data breach may now file private actions under the CCPA against companies that fail to adopt reasonable data breach security practices.

The CCPA mandates the Attorney General to adopt the final CCPA regulations before the July 1 enforcement date. Last month, Attorney General Becerra publicly stated that he does not expect to make major changes to the proposed regulations published in October.  Thus, companies should strive to begin complying with the regulations now rather than wait for their official publication and then race the clock before the enforcement deadline.

In the meantime, Alastair Mactaggart, the proponent of the 2018 California ballot initiative that led to the enactment of the CCPA, submitted a new privacy initiative, California Privacy Rights Act (CPRA), which he hopes to place on the ballot in November of 2020.  If enacted, the CPRA will significantly amend the CCPA and further expand privacy rights of California consumers as well as compliance obligations of California businesses and their service providers and contractors.

The CPRA will, among other things, permit consumers to: (1) prevent businesses from sharing (in addition to selling) personal information; (2) correct inaccurate personal information; and (3) limit businesses’ use of “sensitive personal information,” such as precise geolocation, race, ethnicity, religion, genetic data, union membership, private communications, and certain sexual orientation, health, and biometric information.  The proposed law will prohibit businesses from collecting and using personal information for purposes incompatible with the disclosed purposes, and from retaining personal information longer than reasonably necessary.  The CPRA will also establish a new California Privacy Protection Agency which will be tasked with enforcing and implementing consumer privacy laws and imposing administrative fines.   The CPRA would become operative on January 1, 2023 and its obligations would only apply to personal information collected after January 1, 2022.

Californians for Consumer Privacy, Mactaggart’s nonprofit group, is required to collect more than 620,000 signatures by this summer to put the CPRA on the ballot in November.  The group previously collected more than 629,000 signatures to qualify the CCPA for the ballot in 2018.  It remains to be seen whether they will succeed this time around and whether the legislature will strike another compromise and legislatively expand the CCPA before the new initiative is placed before the voters.

In any event, it promises to be another eventful year for companies subject to the California privacy laws.  We’ll continue to monitor the regulatory and legislative developments in the Golden State and report them in our blog.

Ask Clarip today how we can solve your biggest compliance pain points, Call Clarip at 1-888-252-5653