The California Consumer Privacy Act (CCPA), which is the most groundbreaking data security legislation in the United States, is now enforceable. Broadly, the CCPA provides consumers access and control over their personal information. It also allows users to have a say in how organizations collect, use, and disseminate this personal data. The law is revolutionary because it will set the stage for other states to follow suit and crack down on consumer privacy violations. It may also finally spark the creation of a comprehensive federal privacy law, especially if there are enforcement issues or continuing arguments over the law’s text.

After the law’s enactment in June 2018, there was over a year of debate regarding several proposed amendments because many felt that the law contained gaps and ambiguities. Only a handful of the proposed amendments were accepted and adopted into the law on Oct. 11, 2019. The CCPA then became effective on Jan. 1, 2020. However, the Office of the Attorney General created regulations to help provide guidance and clarification on several sections of the CCPA. The Office did not submit the final version of these regulations until June 1, which made the CCPA enforceable on July 1, 2020. Even though the CCPA is now enforceable, the regulations are still awaiting final approval by the California Office of Administrative Law (OAL).

A Breakdown of the Amendments

Several amendments to the CCPA were originally on the table, but only six survived by the time the law became effective this past January. Here are the key takeaways from the remaining amendments that organizations should know:

• There are two limited and temporary exemptions. Until Jan. 1, 2021, the law exempts data related to employees and job applicants that an organization collected for human resources purposes. Consumers still have a right to know that the employer collected data, just not specific details should the data fall under the exemption.

• The second limited and temporary exemption that also expires on Jan. 1, 2021 is for business-to-business customer representative personnel data. Relatedly, the same amendment also granted the attorney general the right to make additional rules and procedures about compliance with verifiable consumer requests.

• The “publicly available” exception contained in the definition of “personal information” was broadened to encompass any lawful data from government records. The amendment also made clear that to be considered “personal information,” data must be reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.

• The law contains some exemptions for vehicle information used in relation to warranties or recall repairs.

• The law requires that data brokers register with the attorney general and pay a fee. Data brokers also have to provide contact information and an optional explanation about their collection practices. Many organizations could be subject to this, since the team ‘data broker’ is broad and encompasses businesses that buy and sell consumer data, but do not have a direct relationship with the consumer.

• If an organization operates solely online, it only needs to provide an email address as a way for consumers to send requests under the CCPA.

Other amendments are still pending. One amendment that has a good chance of passing is seeking to extend sunset provisions for the two limited exemptions until Jan. 1, 2022 due to the COVID-19 pandemic delaying many legal proceedings.

A CCPA Checklist

All organizations that fall under the CCPA’s reach should already have taken steps towards compliance. Proactive steps include reviewing the law and following amendments, understanding obligations, tightening data security measures, expanding job roles or hiring new staff, and scouting out new technological solutions to help with compliance efforts. Below are four steps that risk and compliance teams should consider in order to comply with the CCPA.

1. Continue to stay informed of changes. Any new amendments could change an individual organization’s obligations. Review the regulations that the attorney general submitted to help with interpretation of the law and compliance efforts. Because of the COVID-19 pandemic, the OAL received an extension for review and this may not be completed until Oct. 2020. However, no one anticipates that there will be further substantive changes to these regulations as this is generally a procedural step before filing the regulations with the secretary of state, which would make the regulations enforceable. Because of this, organizations should treat the text of these regulations as the final word and prepare accordingly. Also, monitor any new regulations if they arise in the future.

2. Follow enforcement actions. Pay close attention to how the attorney general uses enforcement power, if at all, in the coming months. This will act as a roadmap for how strictly the Office will enforce violations and what potential penalties an organization could face for non-compliance. Again, the pandemic could slow down enforcement efforts.

3. Monitor any civil suits that cite the CCPA. Individuals can only seek relief in civil court when non-encrypted and non-redacted personal information is subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business’s violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information. The key thing with the CCPA’s private right of action is that while limited in scope, is it allows for statutory damages and does not require proof of actual harm that the consumer suffered, which is unique to the CCPA. Additionally, there may be more room for litigation since California’s data breach notification law was amended to include an expanded definition of “personal information.” The CCPA incorporates this expanded definition. The expanded definition could open the floodgates for class actions. Businesses subject to the CCPA should place security at the forefront of their compliance checklist to avoid additional liabilities and costs.

4. Stay on top of compliance. If not already completed, organizations should assemble a compliance plan. Reviewing and updating compliance protocols is also necessary to ensure everything is done correctly and that any technological solutions helping with this function are worth the investment.

Again, any changes in the law could affect what an organization’s compliance efforts should look like so remaining educated about the CCPA is the most critical task.