As of this writing, the California Consumer Privacy Act (CCPA) has only been in effect for a few weeks but has already changed the way many companies inside and outside of the Golden State do business.
Quick refresher: CCPA regulates how companies that do business in California collect, share, and sell consumers’ personal data. In addition, the law gives California residents the right to opt out of having their personal data sold. We have written extensively about CCPA on this blog, and you can learn more by reading our overview, compliance checklist, and thoughts on changes to business practices spurred by the law.
Similar to how California’s emissions laws have changed standards across the country, it’s likely that CCPA will have the same effect on businesses and consumers regardless of their physical presence in the state. The data privacy landscape has changed significantly over the past several years, and the effect of CCPA data security regulations will probably keep that momentum going.
Although the law is still in its early stages, we’ve already observed the impact it’s having. Here are our five takeaways of what organizations (inside or outside) of California should know now that CCPA is in effect.
1. An enforcement delay is keeping companies in limbo
As with many new laws, there is a gap between CCPA’s enactment and enforcement dates. In this case, it’s six months, meaning that the California Attorney General will not begin pursuing CCPA violations until July 1, 2020. In addition, final details and rules have not yet been released, although they should be available before the enforcement date.
Right now, many companies see this time as a wait-and-see period. It will probably not be until California starts actively enforcing the law that organizations will see what CCPA compliant data integration actually means.
There is also an additional question of the Attorney General’s ability to actually enforce the law. It has been reported that the department only has about 12 agents dedicated to investigating CCPA violations, and the office may only be able to prosecute three cases a year.
2. There are more regulations on the horizon
CCPA is just the beginning. Multiple states, including highly-populated New York and Texas, have CCPA-like (and even bolder) bills moving through their legislatures. And the California law itself may just be the first iteration of privacy regulations in the state. Many California privacy advocates don’t think that CCPA has gone far enough and are in the process of organizing a ballot initiative to strengthen the law. One component of the proposal, currently titled the California Privacy Rights Act of 2020, would create an independent regulatory agency tasked with enforcing the law.
It’s also an open question of how this patchwork of state laws will influence any federal legislation. Some California privacy activists fear that a pre-emptive federal law would diminish the rights offered to consumers under CCPA. Technology companies have been on the other side of the argument, saying that a federal law would give all consumers the same rights and allow for more consistent enforcement through the Federal Trade Commission (FTC).
3. Customer privacy expectations are changing
Even before CCPA was passed there was a growing demand by consumers to have access to their personal information collected by companies. Some organizations like Facebook have already made it possible for users to download all of the data that the company has collected over the years.
In addition, Microsoft and Mozilla have announced that they will extend the rights granted by CCPA to all of their users across the United States. It will be interesting to see if other organizations take a similar approach, as opposed to creating California and non-California versions of all of their products and services. Preemptively giving consumers access to their data may turn out to be a competitive advantage for some companies.
4. The definition of PII and how to present it to consumers is unclear
California consumers who have already tested out their rights under the law are dealing with processes that seem to vary from company to company. Uber and Lyft, for example, differ in what they disclose to consumers (ratings and customer service calls), despite collecting almost identical information.
There are also several types of data that are exempt from the sharing and disclosure rules of CCPA. This includes health information covered by the Health Insurance Portability Accountability Act (HIPAA) and financial data regulated by the Fair Credit Reporting Act and the Gramm-Leach-Bliley Act. There is confusion about the types of organizations that are not subject to CCPA because of these federal exemptions.
5. Data compliance laws will require organizational agility
Data privacy laws in the United States are probably here to stay. The real question is whether there will ever be standard regulations for all organizations to follow.
This period of uncertainty presents an opportunity for companies to make security a more centralized component of how they do business. They will need to look at data security as an ongoing process that always has room for improvement. This also requires a shift in who is responsible for keeping customer and internal data safe. It can’t just be the security team who’s in charge of data governance. Now is the time to create real procedures around who can access PII, how to deal with consumer requests and ongoing education around privacy laws.
As issues surrounding data security and data privacy grow increasingly complicated, organizations that keep control of their data are going to have a leg up when it comes to adhering to new regulations and even implementing their own protocols that build consumer trust. Imagine being one of the few brands that don’t wait for the law to dictate concern for data security.
There’s still time.