CCPA Enforcement Begins. Are Companies Ready?
The California Consumer Privacy Act (CCPA) generated plenty of headlines when it went into effect on January 1st. We covered tools for compliance, the law’s long-term effects, as well as its pitfalls and promise here at Street Fight. But a six-month grace period before enforcement coupled with the arrival of coronavirus shifted the attention of the location data world partially away from the nation’s first major privacy law.
That enforcement grace period ended this week, and with it, a new era in consumer privacy began.
The California Attorney General can now enforce the law. While that’s good news for consumers, it also means that businesses that have been taking the wait-and-see approach need to implement a mechanism for responding to privacy requests — and fast.
“We expect to see actions quickly from [California Attorney General] Xavier Becerra, especially against those who are flagrantly non-compliant, as he has been quite aggressive in his build-up rhetoric,” says Dan Clarke, president at IntraEdge.
IntraEdge is the company behind Truyo, an Intel-backed GDPR- and CCPA-compliant data privacy platform. Truyo is one of a handful of data privacy platforms being marketed at businesses right now. With full compliance expected, it’s likely that Attorney General Becerra will be quick to make examples of companies that don’t comply.
Despite lobbying from many companies and industry groups, and requests for extensions during the Covid-19 pandemic, the attorney general has declined to extend the grace period for enforcement. Unfortunately, Clarke says many companies waited until the last minute, and now they’re up against the ropes.
Strictly focusing on data awareness is a critical factor in prioritizing compliance, transparency, and safeguarding consumers’ data. At minimum, companies must have visible notices on their websites, and ensure they have a prominent process to intake and answer privacy rights requests. CCPA applies to businesses with gross annual revenues in excess of $25 million, businesses that possess the personal information of 50,000 or more consumers, or businesses that earn more than half of their annual revenue from selling consumers’ personal information.
The law offers California residents the right to request access to all the data companies have collected about them, it grants the right to ask that this data be deleted and not be sold, and it provides grounds to sue companies that fail to safeguard consumer data.
The risks for non-compliance are severe. The attorney general can impose financial penalties up to $2,500 for non-willful violations and $7,500 for intentional violations. Those numbers may seem slight, but they can multiply quickly if thousands of users are implicated in a single violation.
Privacy compliance is an ongoing obligation. Companies must make their efforts to comply visible to consumers by providing prominent access to a “Do Not Sell My Information” link on their websites and including a mechanism to submit requests and opt-out of the sale of data.
“If a consumer can’t locate the link or can’t easily determine how to exercise their rights, it’s much easier to enforce a fine for non-compliance,” Clarke says.
Although there are a number of categories of businesses that are exempted from CCPA compliance, the vast majority of publishers now need to give consumers a way to opt-out of third-party data transfers. They also need to be able to demonstrate compliance to regulators in the event of an investigation or a complaint.
While the rights of individuals are the same now as they were before July 1st, the big difference here is that the attorney general can now levy fines for non-compliant companies. During the period between January 1 and July 1, consumers had the ability to file a complaint form to the attorney general in the event they couldn’t exercise their privacy rights. Although these complaints have not been made public, the attorney general has stated that they could be public “sometime” beginning this month. Those complaints are likely to form a basis for enforcement actions.
“Privacy compliance is fluid in this ever-evolving privacy landscape,” says Clarke. “Businesses must adopt a privacy-first mindset and think about implementing an automated solution that can scale with global and local privacy regulations to keep up with regulations that will only transcend with time.”
Stephanie Miles is a senior editor at Street Fight.