Organizations covered under the California Consumer Privacy Act (CCPA) have less than six months to become fully compliant with the law that goes into effect Jan. 1, 2020. Mike Vanderbilt, privacy director at Baker Tilly, noted at a June webinar that, just like other data privacy regulations, such as the EU’s General Data Protection Regulation (GDPR), the CCPA “establishes a high-level framework that organizations must comply with and provides certain rights to the individuals that it's designed to protect.”
The CCPA was enacted in June 2018 and the state legislature has already amended it more than once even before it goes into effect. The CCPA – which in some respects is modelled after the GDPR -- provides consumers with the right to:
Vanderbilt noted that the law has a one-year look-back, meaning that all data that organizations are processing in 2019 will be covered when the CCPA goes into effect in January 2020. He said, “Data is no longer the sole property of the company that holds it. With the CCPA and the other privacy regulations out there, individuals have a real say in how their data can be used.”
The CCPA applies to all for-profit businesses – whether or not they have a physical footprint in the state – that process the personal data of California residents and meet one of the following thresholds:
Any person, business or service provider that intentionally violates the CCPA may be liable for a civil penalty of up to $7,500 for each violation. Unintentional violations that are not fixed within 30 days could see penalties of up to $2,500 per incident. Vanderbilt said, “You don't want to be in a situation where you're collecting very sensitive data and you're not treating it as though it's very sensitive data.”
Vanderbilt highlighted a few things that stand out about the CCPA:
Organizations identify several obstacles on their journey towards CCPA compliance, including:
Vanderbilt said that in order for organizations to comply successfully with the CCPA they need to get buy-in at all levels of the organization. “We can't have the finger pointing,” he said. “All components and all departments of the organization need to align. Privacy is here and it is only going to become more stringent, so we need to address these items.”
Vanderbilt highlighted a few things that organizations should do in 2019 prior to the CCPA going into effect next year:
Vanderbilt said organizations need to make sure they have access to appropriate expertise necessary to become CCPA compliant. “You need to make sure that you have governance and accountability in place to ensure you not only meet that compliance, but that you stay compliant, especially as the CCPA changes and evolves”.
A majority of participants at the webinar noted that their organizations had done little or no work to prepare for the CCPA. In addition, Vanderbilt noted that since the California legislature has amended the CCPA more than once since enactment, “We are not exactly sure what it's going to look like in January when it goes into effect, and we're also not really sure what enforcement's going to look like.”
California and Nevada are the only two states that have passed data privacy laws, although 14 other states are considering them. Vanderbilt said it is more likely that organizations will have to adjust to several different state privacy laws before the federal government ever passes a laws as comprehensive as the CCPA or GDPR.
He concluded, “The important thing to do is simply keep trudging down that path, document what you're doing, document your assumptions, and keep moving forward.”
The webinar recording and slide deck are available here.
For more information on this topic, or to learn how Baker Tilly specialists can help, contact our team.