Want Companies to Comply with the CCPA? Delay Its Effective Date (Guest Blog Post)
By guest blogger Jeff Kosseff
[Jeff Kosseff is an assistant professor in the United States Naval Academy’s Cyber Science Department. The views expressed are only his and do not represent the Naval Academy, Department of Navy, or Department of Defense. Thanks to Lydia de la Torre for helpful feedback on an earlier draft of this post.]
[Eric’s note: I did a comprehensive update to my short primer about the CCPA, this time with more commentary and predictions. Check it out!]
Last summer, the California state legislature received national attention when it quickly passed a sweeping privacy and data protection law, the California Consumer Privacy Act (CCPA). The legislature modestly later amended the 10,000-word law, and this summer is considering further amendments to address the statute’s scope and requirements.
Much already has been written about the substantive criticisms of this extraordinary legislative mandate. I’m going to set that debate aside for now, and focus on an issue that is more procedural but still quite important: the timing of the law’s effective date. Currently, it is set to go into effect on Jan. 1, 2020, with enforcement starting no later than July 1, 2020. To increase the chances that companies will actually comply with the law, the legislature should delay its effective date until a year or two after the statute and its regulations are finalized.
The CCPA imposes a number of restrictions on companies’ ability to collect and process Californians’ personal information, and it provides Californians with a number of rights, such as access to and deletion of data. The law also regulates agreements with service providers, sale of personal information, and other areas.
To address concerns about some of the bill’s provisions, the California legislature has been considering a number of amendments, ranging from procedural to substantive. According to a post from David Strauss of Husch Blackwell, 13 bills amending or supplementing CCPA passed the Assembly as of June 9, though he cautioned that “the fact that many of these bills passed the Assembly does not mean that they are certain to pass the Senate or, even if they do, that they will pass in their current form.” Strauss reports that in light of the legislature’s one-month summer recess, the amendments likely will be considered in August and September.
Among the most prominent amendments is AB-25, which would exclude a company’s employees, contractors, and agents from coverage. Such a change could have a significant impact on CCPA’s applicability, both for companies and their service providers. AB-873 would revise the definition of “deidentified” data that is excluded from CCPA’s coverage. As Akin Gump noted in a recent run-down of the pending changes, the amendments “could impact the scope and some requirements of the CCPA.”
The amendment process is not the only source of the uncertainty. The CCPA, as amended, requires the California Attorney General to adopt regulations on certain topics under the law by July 1, 2020. The CCPA regulations must cover, among other things, rules for privacy notices and procedures for consumers to request a business not sell their personal information. The Attorney General plans to issue a Notice of Proposed Regulatory Action this fall.
What is a business to do in the meantime? As Strauss noted, because “CCPA’s core requirements will remain intact,” companies should push forward on their CCPA compliance programs. For instance, companies should ensure that their systems are properly configured for the access and deletion requirements, and they should update their vendor contracts. Still, the amendments could affect the scope of the law and some of the nuances of its requirements, and the Attorney General’s regulations will provide companies with vital guidance as to how to proceed.
Consider the General Data Protection Regulation, which passed in April 2016, but did not go into effect until May 2018 (though that delay allowed time for member states to enact derogations). As any privacy lawyer will tell you, the intervening two years were chaotic, as companies structured their compliance programs.
To be sure, there is some overlap between GDPR and CCPA, so as PWC noted, companies that have built GDPR compliance programs have “a jump start on building a capability around user-data handling practices.” Despite this overlap, GDPR and CCPA are far from identical, and companies need certainty as to the specific requirements in both the statute and regulation.
Moreover, many U.S. businesses that are not subject to GDPR’s broad jurisdiction might be covered by the CCPA. While some U.S. companies – particularly small and mid-sized businesses – were able to avoid GDPR by not targeting or monitoring people located in the European Union, they very well may be unable to avoid the CCPA. The statute applies to for-profit controllers (i.e. organizations that determine the means and purposes of the processing) that collect Californians’ personal information, do business in California, and fall into one of the following categories: (1) gross annual revenues above $25 million; (2) selling/buying or sharing/receiving for commercial purposes records of at least 50,000 consumers, devices, or households, or (3) deriving at least half of its annual revenues from “selling consumers’ personal information.” Indeed, the International Association of Privacy Professionals estimates that CCPA will apply to at least 500,000 companies in the United States, “the vast majority of which are small- to medium-sized enterprises.”
These smaller companies do not have the internal compliance staffs – or massive budgets for nimble outside counsel and consultants – that many larger companies can rely on to quickly comply with new regulations. It is simply unreasonable to expect them to build out CCPA-compliant technology and procedures within a matter of months.
In light of the continued uncertainty about CCPA’s scope and requirements, the California legislature should delay both the effective date and the enforcement by at least a year, if not two. This would provide companies – particularly the smaller ones that have not built out GDPR compliance programs – with the necessary time to ensure that they comply with the new requirements. A delay also would provide the Attorney General’s office with more time to fully consider the many comments it has received as it develops its regulations.
I recognize the urge to avoid delaying privacy protections in an age when new privacy violations and data breaches seem to materialize every day. But compliance takes time, particularly if you want the company to do it right. A delay in the effective date of the CCPA would increase the likelihood that a well-intentioned company with limited resources will be able to comply with this important new law.
* Recap of the California Assembly Hearing on the California Consumer Privacy Act
* A Status Report on the California Consumer Privacy Act
* 41 California Privacy Experts Urge Major Changes to the California Consumer Privacy Act
* California Amends the Consumer Privacy Act (CCPA); Fixes About 0.01% of its Problems
* Recent Developments Regarding the California Consumer Privacy Act
* The California Consumer Privacy Act Should Be Condemned, Not Celebrated
* A First (But Very Incomplete) Crack at Inventorying the California Consumer Privacy Act’s Problems
* Ten Reasons Why California’s New Data Protection Law is Unworkable, Burdensome, and Possibly Unconstitutional (Guest Blog Post)
* A Privacy Bomb Is About to Be Dropped on the California Economy and the Global Internet
* An Introduction to the California Consumer Privacy Act (CCPA)