HerrBullermann - Fotolia
Businesses not meeting the requirements of the now-enforceable California Consumer Privacy Act are beginning to receive fail-to-comply notices from the state's Attorney General's Office.
Expect more regulatory enforcement action ahead, privacy and security experts said, as many companies struggle to meet all the conditions laid out in the California law.
"There's a continuum of compliance right now," said Robert Cattanach, cybersecurity and compliance specialist and partner of the international law firm of Dorsey & Whitney.
Large tech companies, as well as companies in heavily regulated industries, such as finance and healthcare, are complying with the California Consumer Privacy Act (CCPA), Cattanach said. But other companies and industries are wrestling with compliance, he said.
"There are companies that wouldn't think of being noncompliant even though the cost of compliance is disproportional to the risk. Many companies are trying to get good paper compliance. But other companies have a little bit more appetite for risk," Cattanach said.
Lead-up to CCPA compliance deadline and enforcement
California lawmakers passed CCPA in June 2018. The law gives consumers more control over the information businesses collect on them. Businesses not only are required to safeguard the consumer data they hold, but they must respond to consumers who want to learn what personal information a company might possess. Businesses are also supposed to delete collected data, if requested. The far-reaching law applies to all companies above a certain size that sell goods and services to California residents -- even if those companies aren't physically located in the state.
The law officially took effect on Jan. 1, 2020, and July 1 marked the CCPA compliance deadline.
The California Attorney General's office started sending letters to companies in early July, warning them they have 30 days to comply.
Although executives had nearly 18 months to implement compliance measures before the Jan. 1 effective date, many companies acknowledged in advance they wouldn't be ready by then, said Caitlin Fennessy, research director at the International Association of Privacy Professionals (IAPP). A 2019 survey conducted by the organization found that 40% of companies wouldn't be in full compliance until the July 1 CCPA compliance deadline.
That remained the plan even as the pandemic hit: According to an April 2020 IAPP survey, 87% of responding companies said the pandemic didn't change how they prioritized CCPA compliance. Some 4% said COVID-19 made CCPA compliance a greater priority, while 9% said the virus forced them to make compliance a lower priority.
Despite the overwhelming percentage of companies pledging to comply with the CCPA by July 1, it didn't mean they were all successful when implementing necessary privacy controls, Fennessy said.
"Anecdotally, we know privacy professionals have had a ton of work thrown on them this year, so we've seen challenges complying with the law and meeting targets that companies had set for themselves," she said. "The rapid shift to remote work is now dominating these professionals' schedules, and that required implementing new technology and communication tools to enable virtual engagement with customers and between employees. At the same time, we're seeing more attacks and threats, so security has become paramount."
Robert CattanachPartner, Dorsey & Whitney
COVID-19 isn't the only issue complicating CCPA compliance. Many businesses aren't clear on certain aspects of the law and how those points apply to them, Cattanach said. He pointed specifically to the law's restrictions on selling consumer data, explaining that, in some cases, where companies shared data with their vendors, that transfer of information could constitute a sale.
Requirements governing how consumers can see their data and request that information be deleted are also hamstringing companies, Cattanach said.
"To this day, many companies struggle getting to where they need to be and putting procedures in place," he said.
Many companies have yet to develop strong data governance practices or adopt compliance-first mindsets, privacy experts said.
"Companies don't even know what data they have. And they don't even know where all the data is," said digital identity and security authority Eve Maler, CTO at ForgeRock, an identity and access management software company.
Preparing for increasing focus on privacy
CCPA and other government actions -- as well as a burgeoning consumer interest in privacy issues -- are forcing executives to invest more in data governance.
"Companies have to know the information they're collecting and how it's used, or they're more likely to be in the crosshairs of regulators or private [consumer-initiated] legal action," said Matt Stamper, CISO at Evotek and president of the San Diego chapter of ISACA, an IT governance group. "Companies have to anticipate that, and they have to expect increased regulatory scrutiny on how they handle information."
If companies don't take the right steps, achieving compliance will only become more challenging. CCPA, the European Union's GDPR and Brazil's General Data Protection Law are already on the books. Expect additional privacy legislation as lawmakers in other U.S. states and nations determine how they want to protect consumer privacy.
Organizations, he said, need to craft data policies that enable them to see all the data they have, how it's used, where it flows and where it's stored. "You want to have a good, intimate knowledge of the data the organization collects and its systems of record and then document that there are the requisite controls around all of that," he said, adding that data policies must be driven by a unified effort that includes privacy, security and data officers, legal and compliance leaders, as well as business unit executives.