The California Consumer Privacy Act (CCPA), which is the most groundbreaking data security legislation in the United States, is now enforceable. Broadly, the CCPA provides consumers access and control over their personal information. It also allows users to have a say in how organizations collect, use, and disseminate this personal data. The law is revolutionary because it will set the stage for other states to follow suit and crack down on consumer privacy violations. It may also finally spark the creation of a comprehensive federal privacy law, especially if there are enforcement issues or continuing arguments over the law’s text.
After the law’s enactment in June 2018, there was over a year of debate regarding several proposed amendments because many felt that the law contained gaps and ambiguities. Only a handful of the proposed amendments were accepted and adopted into the law on Oct. 11, 2019. The CCPA then became effective on Jan. 1, 2020. However, the Office of the Attorney General created regulations to help provide guidance and clarification on several sections of the CCPA. The Office did not submit the final version of these regulations until June 1, which made the CCPA enforceable on July 1, 2020. Even though the CCPA is now enforceable, the regulations are still awaiting final approval by the California Office of Administrative Law (OAL).
Several amendments to the CCPA were originally on the table, but only six survived by the time the law became effective this past January. Here are the key takeaways from the remaining amendments that organizations should know:
Other amendments are still pending. One amendment that has a good chance of passing is seeking to extend sunset provisions for the two limited exemptions until Jan. 1, 2022 due to the COVID-19 pandemic delaying many legal proceedings.
All organizations that fall under the CCPA’s reach should already have taken steps towards compliance. Proactive steps include reviewing the law and following amendments, understanding obligations, tightening data security measures, expanding job roles or hiring new staff, and scouting out new technological solutions to help with compliance efforts. Below are four steps that risk and compliance teams should consider in order to comply with the CCPA.
Again, any changes in the law could affect what an organization’s compliance efforts should look like so remaining educated about the CCPA is the most critical task.