While most businesses are aware, a surprisingly small number report that they will be ready to comply with the California Consumer Privacy Act (“CCPA”), when it officially takes effect on January 1, 2020.
The CCPA was first signed into law in September 2018. Often touted as “GDPR Lite” or “GDPR 2.0” because of its similarity to the European regulation, CCPA’s key provisions are summarized as follows:
Since the CCPA was passed, it has already undergone changes, in September, 2018, and again on February 25, 2019, with the introduction of California Senate Bill 561 (“561”). While some changes were merely cosmetic, fixing errors, etc., the substantive changes aimed to clarify and strengthen the law. For example, 561’s amendments:
561, while a start, does not clarify all ambiguities in the CCPA. For example, language such as “households” remains vague as to whether it means consumers, or a combination thereof. Also, while the language of “consumers” and “businesses”, and other evidence seem to suggest that the CCPA was not intended to include “employers” vis-à-vis their “employees”, nowhere in the text does it clarify the same. If an amendment did indicate that the CCPA applied to employers and their employees, businesses in California would have to implement stringent security safeguards, as data breaches often involve divulgence of employees’ personal information. Therefore, while 561 provides the initial amendments, the CCPA likely will see further amendments prior to its January 1, 2020 launch
In conclusion, businesses subject to CCPA should begin to take steps toward compliance now. Data mapping, updating policies, developing teams, increasing security measures and other activities that will be required for compliance take time to implement. Businesses with questions as to whether it is subject to CCPA, or what steps to take, should contact a privacy attorney.
For further information regarding this topic, please contact:
Natalie A. Remien at firstname.lastname@example.org or 312-368-0100.