(NB: Before reading this post, we suggest you read Part 1 of this series " Where Does the Law Stand Now?" from June 3, and Part 2 " General Observations on Pending Amendments to the CCPA" from June 5)
Although the pending legislation makes the final requirements of the CCPA difficult to predict until the end of the legislative session in September, a clear trend is apparent. The legislation currently pending in California indicates a movement towards increased data privacy regulation and an expansion of its applicability. Legislators have no intention of slowing down the pace of data privacy legislation and businesses should take note. While there have been attempts at the national level to pass comprehensive federal privacy legislation which would have a harmonizing effect across the 50 states, this seems unlikely in the near future. Instead, in the U.S. privacy legislation will remain in the hands of the states. The CCPA is the strictest privacy legislation in the United States. It is representative of a general trend nationally and globally that has strengthened consumer protections as well as consumers' rights over their data. This trend is fueled by the recognition of the economic power data assets bear and the risks associated with misuse.
What is certain is that businesses that are subject to the CCPA must be fully compliant by January 1, 2020. Even if a business does not meet the applicability thresholds of the CCPA now, they may in the future be required to comply with it or similar legislation in another state. With less than six months to comply, procrastination is not an option and can lead to an operational scramble or worse – costly penalties. An operational approach to compliance with clear objectives, milestones, and phased-in implementation, however, can ensure a much smoother and less costly transition. Even businesses not currently subject to the CCPA should evaluate data assets throughout their life-cycle. This will allow them to make necessary operational changes over time. Here are some practical steps that can be taken on the road to compliance with the CCPA:
- Assign and budget for a team to plan and implement CCPA compliance;
- Create a road map outlining privacy objectives, a timeline, milestones, and CCPA-related goals;
- Assign, delegate, and train – CCPA compliance is an organization-wide undertaking;
- Identify the technical expertise required to operationalize CCPA compliance –understanding the CCPA's requirements is not the same as operationalizing them;
- Think ahead and implement privacy by design.
Privacy regulation in California and globally is increasingly making regulatory compliance a challenge. Businesses must recognize, however, that the CCPA and similar laws are here to stay and that they will strengthen future consumer rights. Businesses should prepare for these challenges and continually review how their data assets are used, maintained, and protected within their organization. Privacy by design and proactive data privacy and security policy development will not only assist businesses in complying with privacy laws, but by safeguarding data assets, businesses of the future may gain a competitive edge.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.