CCPA: Let the Enforcement Begin

Nearly two years ago, the California legislature passed the most comprehensive privacy and cybersecurity law in the US – the California Consumer Privacy Act or CCPA. The law gives consumers a wide range of rights and creates a series of obligations for businesses – from giving consumers access to the information about them to acting on customer requests to stop selling personal data for marketing purposes or outright delete information in certain circumstances.

The CCPA went into effect on January 1st of this year, but the enforcement date of the Act was more recent – July 1st. California Attorney General Xavier Becerra has already announced that he is ready to enforce the law, but what are businesses doing meet the requirement of a privacy law still described as confusing? The BBB National Programs >Better Series Podcast convened a panel of experts to discuss how businesses are working to comply with the CCPA.

“It’s been a bit of a cluster because there hasn’t really been any certainty as to what you can do,” noted Heather Federman, Vice President of Privacy and Policy at BigID. “In a business context, you typically want to know how you’re going to execute and how you’re going to operationalize something that isn’t always clear right now. Applying the 80 / 20 rule, just understand that you probably won’t be able to achieve 100 percent compliance with this law because there’s a lot going on here.”

One of the threshold challenges that businesses have is responding to consumer requests for the information companies collect, use, and store about them. According to Federman, that’s not always easy. “I have to know where that data is within my systems. I would need to figure out the right way to be able to provide a report on what that data is, and be able to repeat this process again, and again, and again.”

Cobun Zweifel-Keegan is a privacy lawyer with the BBB National Programs and works to build new accountability initiatives for the future of privacy. He views the CCPA as a chance for companies to differentiate themselves from their competitors.

“This isn’t going to be the last piece of privacy legislation or regulation that we see setting the minimum standards for privacy best practices moving forward,” Zweifel-Keegan commented on the podcast. “So I think a lot of companies are actually looking at the uncertainty as an opportunity to set themselves apart in terms of privacy compliance. For example, Microsoft saying we’re going to apply CCPA rights everywhere, across the board.”

Julian Flamant, a privacy and cybersecurity attorney at Hogan Lovells isn’t sold yet on the idea of expanding the CCPA to non-California residents. “I’m not sure that applying the CCPA more broadly will really become the norm. While we are seeing some companies applying these rights or CCPA compliance measures more broadly, we’re still seeing notices that are specifically tailored to California consumers.”

You can learn more about how the California Consumer Privacy Act may impact your business by listening to <Better Series Podcast.