• Regulations

CCPA Regulations Are Finalized. What Does It Mean for Your Business?


The wait is over.

California’s Attorney General (AG) has issued the final version of the California Consumer Privacy Act (CCPA) regulations. The final edition, published on June 1, 2020, is unchanged from the last draft, which was published in March. That’s a relief for anyone who has been trying to keep up with the multitude of changes in the first and second round of modifications.

Does This Mean CCPA Is a Done Deal?

Not so fast.

There’s still one more step in the process: the final text of the CCPA regulation needs approval from the California Office of Administrative Law (OAL). OAL has 30 working days, plus an additional 60 calendar days under an executive order related to the COVID-19 pandemic, to review it for procedural compliance. The AG has requested an expedited review by OAL in hopes that CCPA regulations can still become effective by July 1, which is the date the AG’s office plans to begin enforcement.

Regardless of whether CCPA gets the stamp of approval in July or September, enforcement is right around the corner, and now is the time to make sure your business is prepared. In a previous blog post we reviewed the most important modifications in the last version of CCPA regulations and how they will impact your business. The net-net is still the same for businesses: CCPA and other data privacy laws will continue to evolve and businesses need to keep up with the changes, or risk under-compliance or over-compliance.

Next Up: The California Privacy Rights and Enforcement Act of 2020

The California Privacy Rights and Enforcement Act of 2020 is a California ballot initiative slated for the November 2020 election. It seeks to continue the work started by CCPA by strengthening consumer protections and defining new requirements businesses need to follow. Privacy leaders will need to stay tuned as we approach November.

Ensuring Compliance:

The easiest way to ensure compliance with CCPA, the new ballot initiative and any new law that evolves, is by implementing privacy management technology to simplify and streamline privacy compliance. After all, it’s difficult to respond to Data Subject Access Requests when you lack a holistic view of the personal data your company handles.

You may think you’re fully complying with a request to access or delete a consumer’s personal data, but your company may have databases or stores of customer data lurking elsewhere, perhaps obtained through an acquisition or merger. As explained in a recent Forbes article, many businesses still have fragmented and siloed data, which puts them at risk.

Even if noncompliance is accidental, consequences are real.

Speaking of consequences, the concerns about litigation are proving to be valid. The European Union’s General Data Protection Regulation (GDPR) was a good predictor of the wave of data privacy litigation we would see in the US under CCPA and other regulations. And we’re already seeing cases citing CCPA and alleging CCPA violations. This CCPA litigation tracker listed 21 cases filed in California courts as of June 1, 2020. The cases include class action lawsuits as well as other creative ways of leveraging CCPA regulations in privacy violation claims. You don’t want to risk your brand reputation by getting sued or fined for violations.

Where does this leave your company today?

Let’s take a look at how to prepare now for CCPA enforcement:

  • Review our CCPA to-do list. All of the to-do are still apropos. It’s especially important to focus on the ways you can evaluate, automate and evolve your privacy program in 2020. This summer to-do list for CCPA is another resource for checking the boxes for compliance.
  • Recognize the impacts of Covid-19. The pandemic may have waylaid the some administrative timelines, but the California AG’s office is indicating that it’s not cutting businesses any slack when it comes to enforcement. Covid-19 has also caused a spike in the use of videoconferencing technology, spurring new data privacy lawsuits against Zoom and other companies.
  • Implement a privacy management solution that’s flexible enough to adapt to changes and accommodate new state, federal or international privacy laws. New laws are already in the works, so don’t let your compliance solution leave you pigeonholed.

These are complicated times for businesses, but you’ll be prepared for CCPA if you stay focused on the needs of your customers and prospective customers. If you make sure every step of their data privacy journey is transparent and builds trust in your brand, everyone will come out ahead.