The California Consumer Privacy Act (CCPA) affects hundreds of thousands of businesses, which is why we offer technical consulting and implementation services for accommodating CCPA needs.
In normal times, helping businesses address these complex new privacy rules would be a heavy lift by itself. But these obviously aren’t normal times, so here are our views on CCPA enforcement and preparation during this pandemic crisis.
Requests for CCPA Enforcement Delay
Enacted in 2018, CCPA technically went into effect on January 1 of this year. But the final rules for how the law should work have not yet been issued by the Attorney General’s office, a major complication since the law is vague in many areas.
Draft regulations were issued on October 11, 2019, as well as on February 7, February 10, and March 12 of this year. The most recent commenting period ended March 27.
Once the draft is completed, there is a 30-day period for the regulations to be reviewed by the state’s Office of Administrative Law. The Attorney General (AG) has said it will begin enforcement six months after the final rules are issued, but – in any case – no later than July 1, 2020.
Even if the final rules were issued tomorrow, the 30-day period for Administrative Law means they wouldn’t be completely final until about May. And that leaves two months or less until July 1.
Not much time for implementation by businesses, which is why five major advertising trade organizations sent a joint letter in February to the California Attorney General’s office, asking for a six-month transitional period after final CCPA rules are issued and before enforcement begins.
That request was made before the pandemic’s impact was widely known. On March 20, nearly three dozen trade associations, companies and organizations – including the California Chamber of Commerce, the Association of National Advertisers and the California Retailers Association – sent a letter to the AG asking for a delay in enforcement until January 2, 2021 because of the pandemic.
It read in part:
“The public health crisis brought on by COVID-19 juxtaposed with the quickly approaching enforcement date for the CCPA places business leaders in a difficult position. They are forced to consider tradeoffs between decisions that are best for their employees and the world-at-large and decisions that may help the organizations they lead avoid costly and resource intensive enforcement activities.”
But not all observers think a delay is warranted. In particular, the non-profit Consumer Reports magazine, testing lab and consumer advocacy organization has argued against a delay in enforcement.
“This latest effort to avoid complying with the CCPA comes as more and more consumers increasingly rely on online communications to work, stay in communication with healthcare professionals, and obtain access to necessary supplies,” the organization said in a statement in March.
The state of California agrees, as its most recent guidance was that the July 2020 deadline will stand for now.
The Pandemic’s Impact on CCPA
In some ways, we think Consumer Reports has actually understated the case for the impact of the pandemic on consumer privacy.
When the history of consumer data is written, this pandemic will probably be marked as a game-changing turning point, when consumer privacy protections became as essential to public safety as traffic laws became once it was obvious cars were going to be everywhere.
For example, there are reports that the federal government is now mapping the pandemic in part by tracking users anonymously with mobile ad location data. While this might be an essential disease tracking technique, “anonymous” can become a relatively meaningless term once sophisticated ways to utilize probabilistic data-matching are applied.
Additionally, the practice of remote working, socializing, exercising and other activities, previously seen as a growing alternative route, has now become the sole highway for millions of Americans. And that highway is leaving unprecedented data trails.
So, it is essential that consumers and brands make consumer privacy an even higher priority than it was back in the normal days of only a few weeks ago.
Our view: Delay CCPA Enforcement, Not Action
At the same time, millions of businesses are now facing an existential crisis, as they try to conserve resources to make it through a time when many consumers are forced to stay home.
Whether or not there was previously a need for a six-month delay in enforcement, there is an obvious need now.
It’s the same reason why the deadline for federal and many state tax returns have been delayed by several months. Companies and individuals are facing dried-up cash flows, team shifts and must refocus their efforts and priorities. Digital teams are being asked to “swab the deck,” until they can make headway on major projects once again.
For those businesses, we urge them to use this downtime to get their consumer privacy practices in shape. However long this shutdown takes, consumer privacy will become an even greater need for brands, even without knowing the contours of the final CCPA rules.
So, here are our recommendations on steps businesses can take now, in conjunction with legal and other expert help, while we wait for CCPA to take hold and the pandemic to lift.
Audit the Tools and Customer Data You Collect
Take stock of the data you are collecting from customers, including your third-party tools, website, and any physical outlets. Build a map of how and what you collect, where it is stored, who has access, and – most importantly – if any of that data is sold or traded with others. This process will help you understand your data repository and respond to customer requests.
Review Data Security Practices
This is a great opportunity to review – and include in your audit – who has access to your storage of personal information. Prune services, purge users, and update permissions so they conform to your security standards.
Plan for Handling Customer Requests for Personal Data
Educate Employees on Consumer Privacy
Most importantly, take steps to fundamentally change your company’s attitude toward consumer privacy. Educate employees about the importance of consumer privacy, what your company is doing, and the role they as employees play. This is particularly important for employees who may be in a customer-facing role where they would be fielding personal information requests.