CCPA Enforcement Has Come, Now What?

California has passed a new privacy law, to be regulated by a new enforcement body. The California Privacy Rights Act (CPRA) creates new rights and obligations for anyone doing business in California. But the CPRA passed because of the groundwork its predecessor, the California Consumer Privacy Act, laid down.  

Hopefully, by now you've read the news about California's Consumer Privacy Rights Act (CPRA). Much to many companies' dismay, the second privacy law the state has considered in recent years passed the ballot in November 2020. 

It's important to know because it creates new rights and obligations for companies not only in California but also for anyone doing business in the state. It will come into force in January 2023, and it creates a new regulator in the state to enforce compliance with the statute. The California Privacy Protection Agency will investigate potential violations and provide guidance to companies and organizations aiming to bring their privacy practices in line with the CPRA's requirements. 

But the CPRA passed relatively seamlessly only because of its predecessor, a ground-breaking privacy law: the California Consumer Privacy Act (CCPA), which passed the ballot in 2018 went into effect on January 1, 2020. The Golden State officially has the most robust consumer data protection in the United States. It fits for the new decade that California— which has always led the legislative landscape in consumer protection laws— has once taken into their own hands continued to protect its citizens. Since 1972, privacy has been an inalienable constitutional right of all Californians. Earlier last year, San Francisco banned the use of live facial recognition systems by police and security agencies. The ban also prohibits the use of data gathered by facial recognition systems. New year, a new decade, new rights.

Back in January 2003, the State of California enacted a set of anti-SPAM statutes that were among the strongest in the nation. The California anti-spam law stated that no person or entity could send, or advertise in, an unsolicited commercial email sent from California, nor could any person or entity send, or advertise in, an unsolicited commercial email sent to a California email address. California law defined an "unsolicited commercial email" as any email that, in the absence of a prior-established business relationship, a recipient did not opt-in to receive.

In response to the California law, the United States Congress enacted in 2003 the federal CAN-SPAM Act, which explicitly preempted state laws seeking to ban or regulate email spam. The CAN-SPAM Act makes it unlawful for any person to send a commercial email message unless that email message clearly and conspicuously identifies that it is an advertisement or a solicitation (unless prior consent has been obtained). Further, it requires that senders provide notice to the recipient of her ability to opt-out from further commercial email messages, and lists a valid physical postal address for a sender.

California is again taking the lead with comprehensive data privacy legislation. The CCPA passed unanimously in June 2018. It's the first law in the US to set up a comprehensive set of rules around consumer data, "similar" to the European Union's General Data Protection Regulation (GDPR).

California's economy is the largest in the United States, boasting a $3 trillion gross state product as of 2018. California would rank as the world's fifth-largest economy, ahead of India and behind Germany. Additionally, California's Silicon Valley is home to some of the world's most valuable technology companies, including Apple, Alphabet Inc., and Facebook. In total, more than 10% of Fortune 1000 companies are based in California, the most of any state. It's interesting to consider how the state of California is putting its citizens' needs before their most significant driver of revenue: Silicon Valley.

It's no surprise that some of the largest tech companies in the U.S., most of which are located in California, lobbied to weaken the CCPA's provisions. These companies don't want to be on the hook for having to deal with what they see as burdensome requests enshrined in the state's new law anymore than they currently are for Europeans with GDPR. Despite the extensive lobbying, California's legislature passed the bill with minor amendments, much to the chagrin of tech companies in the state. Now companies like Microsoft, Apple, Salesforce, and others are among those who have issued written statements, opened portals, or made public comments about the need to protect consumer data, with Microsoft echoing California by describing privacy as a "fundamental right."

On May 25, 2018, I recall (and you may remember) a flood of emails and alerts from companies in the past few weeks informing you about changes to their privacy policies, or asking for consent, again, even when they already had it under the EU Data Protection Directive. Back then, companies were given two years to become compliant after the EU adopted the GDPR, and still, many today are struggling to become compliant.

Now, this past week, and what's been interesting to me, is the lesser amount of companies who have performed the necessary updates to their privacy policies and technologies to give California citizens insight and control over how their data is collected and sold. When GDPR came into enforcement, I had received over 100 email notices from companies in that one week. This week alone, I've only seen two email updates and one website banner update. The California attorney general has said, 'We only have resources to bring a few cases a year.'" So maybe companies are saying, "The odds of getting sued are pretty slim?" which I doubt a bit. I know that many companies are also thinking that if they are GDPR compliant, then they must be okay in California, which is far from the truth.

For example:

• GDPR protects all data subjects who generate data within the EU, while CCPA merely affects consumers who are California residents.
• GDPR requires consumers to opt into data collection, while CCPA only offers them the right to opt-out.
• GDPR affects organizations of every size and type in every sector. In contrast, CCPA requires businesses to be a specific size or possess a certain amount of data before the rules can be enforced, with fines assessed on a per violation basis.
• GDPR confers a right for a data subject to delete their information regardless of where it came from, whereas CCPA only relates to data collected from, and about, the consumer.
• Both offer a right to data portability. Under GDPR, organizations must transfer a data subject's information to another data controller if requested, while CCPA requires that businesses divulge details related to data sales and processing activities over the previous 12 months
• GDPR mandates that parents must consent to anyone under the age of 16, having their data processed in an online environment. In contrast, CCPA enables anyone over 13 to agree on their own behalf. It also only addresses the sale of their data and insists on opt-in consent.

Overall, the CCPA isn't a rerun of Europe's GDPR, even though some of the problems it tackles may be the same. Brands and marketing agencies need to consider the impact of CCPA on their data processes, especially with many other states creating their privacy laws, some similar to CCPA. Nevada and Vermont have their privacy statutes; lawmakers in other states, like New York, have tried to introduce bills that are even more ambitious than California's.

Why many more companies haven't given an update to their consumers about their new CCPA rights is beyond me. Still, I'm sure it's because many of them don't have the right technologies in place. Many are now scrambling to find an easy-to-use data privacy platform that instantly helps even their website become compliant with laws such as GDPR and CCPA, which is where most of their data come from these days.

Whatever the issue is, the clock is ticking. The California Attorney General started enforcing the CCPA on July 1, 2020. Now is the perfect time to put a plan into place to not only comply with the CCPA and the GDPR but also to comply with the inevitable state privacy laws that will follow. The good news is, once these practices are established, compliance should be much easier — even automatic — as the privacy landscape evolves.