ar130405 - Fotolia
CCPA enforcement has begun: Here’s what to expect
The US’s California Consumer Privacy Act came into force in January this year, but enforcement against technology companies did not begin until this month
The California Consumer Privacy Act (CCPA), the most comprehensive and broad-reaching privacy law in the US, came into force in January this year, but enforcement by the California attorney general only started on 1 July.
The attorney general is authorised to levy fines of $2,500 per violation – $7,500 if intentional – which, when multiplied by the millions of records many companies hold, adds up to ominous sums.
Research by the International Association of Privacy Professionals (IAPP) shows that just a minority of companies subject to the law feel they are fully compliant, and the risks of non-compliance are formidable.
For victims of data breaches, the law also provides a private right of action, which has already been seized on by plaintiff attorneys to file two dozen class actions. The US business landscape is highly litigious – expect CCPA enforcement to light it up.
Indeed, the very day enforcement went into effect, the rumour mill started spinning. Those in the know are saying that on 1 July, the attorney general sent multiple notices of violation, in particular to companies not displaying a “Do not sell my personal information” link on their website. Under CCPA, companies that receive such a notice now have 30 days to make amends.
They are strongly urged to do so to pre-empt broader – potentially public – investigations, which could uncover further infringements and expose the companies to the wrath of eager plaintiff lawyers.
Unlike Europe’s General Data Protection Regulation (GDPR) enforcement environment, which is regulatory in nature and often resolves in agreement between a company and its data protection authority, US law is made in the courts, and CCPA will be no exception.
Expect cases to emerge from complaints, but also from stories in the media and even social media posts. If you are a company subject to CCPA, better watch what consumers or critics are saying about you on Twitter, because the attorney general will do so, too.
Over the years, academic researchers deploying tools to analyse web traffic and third-party data sharing have catalysed high-profile investigations by state and federal technology regulators. Companies should keep their ear to the ground to get ahead of any adverse research, lest it come back to haunt them in the form of an attorney general investigation and, later, a class action lawsuit.
It isn’t surprising that the attorney general first pursued cases reportedly involving the “Do not sell” signal. A consumer’s right to opt out of data selling is at the core of CCPA – and it’s easy to enforce.
Attorney general staff could simply review companies’ privacy and cookie policies or deploy publicly available packet analysing software to identify discrepancies between what a business says and what it does with consumers’ personal information. Further cases are likely to emerge from data breaches, which give rise not only to attorney general enforcement, but also to consumers’ right to sue.
The attorney general has also clarified its intention to protect children’s data, as well as the personal information of vulnerable populations, particularly during a pandemic-driven economic downturn. Additional criteria that the attorney general is likely to employ to triage cases include the breadth and sensitivity of impacted data.
Over the next few months, CCPA cases will begin reaching Californian courts, and judges will have to resolve the numerous ambiguities and interpretative issues in CCPA. These include questions such as what constitutes a “sale” of personal information, what is a “business” and what does “doing business in California” mean?
To prepare, companies should put in place the policies, contracts and consents needed to satisfy the new law. But, more importantly, they should ensure that future product engineering and business processes embed sound privacy practices, including data mapping and the ability to respond to, and implement, consumer rights.
This involves data governance processes that transcend legal compliance, affecting product teams and business executives at all levels of corporate management.