February 19, 2020

The CCPA is now in effect. What now?

Client Alert
Julian L. Bibb IV | Leigh Stanfield

January 1 marked the effective date of the California Consumer Privacy Act of 2018 (CCPA), widely regarded as the state’s answer to Europe’s General Data Protection Regulation (GDPR).

But with the law technically in effect, many businesses and data privacy practitioners are left stepping into muddy waters in their compliance efforts. Indeed, between ambiguities in the law itself and additional regulations still in the drafting phase, many aspects of the CCPA and its requirements for covered businesses are yet to be determined.

Unfortunately, with January 1 behind us, “wait and see” is no longer a viable option for businesses trying to understand how the CCPA will be interpreted and applied. The question then becomes: What should businesses be doing now, while the state of California “debugs” its pilot data privacy laws? While a definitive answer to that question remains a moving target, we have compiled a set of five “compass points” that businesses should bear in mind as they craft their compliance mechanisms in these early stages of the CCPA’s implementation:

1. Transparency is Key.

One of the key directives of the CCPA is to inform consumers of your business’s information collection practices. Businesses implementing the various notice and disclosure requirements should do so with an eye toward transparency and making the disclosures understandable, readily available, and accessible to consumers.

2. Know What You Know (and Who Else Knows It)

As many businesses are finding out, it is difficult to inform consumers about a business’s information collection practices when the business itself doesn’t have a firm grasp of those practices. Preparing an internal “map” of the information a business takes in, how that information is used and, if applicable, how that information is shared, will help businesses prepare their required notices and respond to requests from consumers as they start to roll in. This requires that businesses “do their homework” and corral various teams (marketing, sales, customer service, etc.) so that you have a firm grasp on company-wide data practices.

3. Good Customer Service is Good Practice.

The CCPA gives California consumers the right to request certain information about a business’s information practices. There are specific procedural requirements related to those requests, and businesses should make sure that their request management systems can meet those requirements. That said, on a fundamental level, good customer service will go a long way toward helping businesses handle their request obligations.

4. Great Security is Great Practice.

While the notice and disclosure requirements under the CCPA may seem like more than enough to keep compliance teams busy, the CCPA also includes certain security obligations that businesses should not overlook. The CCPA provides a private right of action to consumers whose nonencrypted or nonredacted personal information is subject to an unauthorized access or other disclosure “as a result of the business’ violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information[.]” As a consequence, businesses without appropriate information security could face significant exposure under the CCPA.

5. Stay Flexible.

Last but not least, businesses should remember this: The data privacy landscape is shifting rapidly. Not only is the CCPA changing—on February 8, the California Office of the Attorney General released revisions to the regulations implementing the CCPA; the revisions will be addressed in our next blog post—but there are new laws in the works in other states, and even the federal legislature. Flexibility and responsiveness to new laws will be essential for businesses moving forward, as they work to stay compliant in their data privacy practices.

Related Insights