It's Official: CCPA Enforcement BeginsMove Comes Despite Lack of Final Version of Sweeping Data Protection Law
Enforcement of the California Consumer Privacy Act officially began Wednesday despite the lack of a final, codified version of the regulation.
The law applies to organizations - regardless of location - that have access to Californian’s personal data.
Regulatory experts advise that organizations should prepare to comply with a draft resolution presented by California Attorney General Xavier Becerra's office to the state's Office of Administrative Law for final approval on June 1.
Technically, CCPA is not enforceable until the OAL completes its review and returns the resolution to the attorney general's office. Nevertheless, in a Tuesday statement, Becerra announced the attorney general's office would begin enforcing the measure Wednesday.
"I and many others are advising our clients to act as if the final proposed regulations are in effect, given that enforcement will ultimately be retroactive to Jan. 1, 2020,” says Richard Santalesa, founding member of The SmartEdgeLaw Group law firm.
Emma Bickerstaffe, senior research analyst at the Information Security Forum, notes that the CCPA draft guidance was last updated in March, so organizations have had time to get ready.
"Although they have yet to be adopted as law, they reflect how the California attorney general will interpret the CCPA and what practical measures should be in place to achieve compliance," Bickerstaffe tells Information Security Media Group.
CCPA was officially signed into law on June 28, 2018 and went into effect Jan. 1, 2020. But the state said it would not prosecute any companies that failed to comply for the first six months the law was in effect. Meanwhile, several possible changes to the law are still being vetted by the OAL.
Shannon Yavorsky, a privacy and data security partner at Orrick, a New York-based law firm, says it’s unclear if the state can legally attempt to enforce regulations that are not reflected in a final, codified law. Regardless, her firm is advising clients to behave as if the law will immediately be enforced.
CCPA at a Glance
Under the CCPA, California residents have expanded data protection rights. Personal information protected under CCPA includes email addresses, online handles, IP address, biometric information, geolocation data, and browsing and search history. The data protection rights include:
- Right to Know: Consumers may request that a business tell them what personal information they have collected, shared or sold about them and why.
- Right to Delete: Consumers may request that a business delete personal information that the business collected from the consumer, with some exceptions.
- Right to Opt-Out: Consumers can ask that a business refrain from selling its personal information.
- Rights for Minors: A business cannot sell the personal information of minors under the age of 16 without their permission and, for children under 13, without parental consent.
- Right to Non-Discrimination: A business cannot discriminate against consumers who exercise their rights under CCPA.
Yavorksy explains that businesses must comply if they have gross annual revenue in excess of $25 million. They also must comply if they buy, receive or sell the personal information of 50,000 or more consumers, households or devices, or derive 50% or more of its annual revenue from selling consumers' personal information.
Not-for-profit organizations and government agencies are not governed under CCPA.
In a blog on CCPA, security firm Varonis notes that maximum potential penalties for intentionally violating CCPA are $7,500 for each breach of the regulation. The maximum fine for violations lacking intent is $2,500 for each incident.
CCPA allows for consumers to file lawsuits to collect between $100 and $750 if their "non-encrypted or non-redacted personal information" is breached.
Preparing for Compliance
Because CCPA’s provisions are somewhat similar to the European Union's General Data Protection Regulation, which has been in effect since May 25, 2018, companies that conducted the data mapping that was necessary under GDPR should find it easier to comply with CCPA.
Santalesa, the attorney, recommends companies:
- Review procedures for compliance with CCPA’s "do not sell" clause that allows consumers to stop businesses from selling their data;
- Update their data flow and data mapping to have a solid understanding of where consumers’ data resides and how it’s being used, so it can be protected;
- Review all vendor contracts to make sure that necessary obligations are imposed;
- Conduct effective employee training on CCPA compliance.