With just days to go before the California Consumer Privacy Act(CCPA) compliance date, some companies may be scrambling to gettheir data collection and management processes in order. Others,however, might be taking a wait-and-see approach before fullinginvesting into large-scale changes. Whatever an organization'splan, there are certain things all covered entities should knowabout the far-reaching privacy law before January 2020.
|Related: What California's consumer privacy act means foremployers
|From how to handle web browser cookies to overlooked securityrequirements, here are four things to consider before thecompliance date:
|The CCPA is mostly ready
Those waiting to see how the "final" CCPA takes shape may be toolate. Amendmentsto the CCPA that passed California legislature in September 2019have been signed into law, and the state's Attorney Generalreleased proposed CCPA regulations in October 2019. Asof the end this year, the CCPA is ready for prime time.
|"I would say 95 percent of the puzzle is [set] socompanies should get on that 95% instead of waiting for that5 percent to be finalized around the edges," saidDominique Shelton Leipzig, chair of adtech privacy andcybersecurity group at Perkins Coie.
|To be sure, the attorney general's regulations are onlyproposed. But while the CCPA will evolve over time, Leipzigbelieves any changes will likely be minor. "I wouldn't expectradical departures from what we see in the regulationsalready."
|Cookies are likely for sale
One of the unique mandates of the CCPA is allowing customers toopt out of having their data sold to third parties. While that mayseem straightforward, it can get complicated when considering whatexactly constitutes a sale. Take for example, "cookies," which arelines of code that track a user's web browsing and often used tocreate targeted online advertisements.
|"I would think seriously about having a do not sell link if acompany has third-party cookies on their site," Leipzig said."There are different points of view in terms of whether cookiesconstitute a sale, but I can say that my understanding is theAttorney General's Office considers third-party cookies that goacross multiple websites to be a sale under the statute."
|Of course, this view could change over time. "As we know theCalifornia Attorney General regulations are still proposed; they'renot finalized—and we won't see a finalized version for somemonths," said Mark Schreiber, partner at McDermott Will &Emery. But as for now, it might be better to safe than sorry.
|Enforcement action is delayed, but notlitigation
Those waiting to see how enforcement action will shape up underthe CCPA will have to wait a while longer. While the compliancedate for the regulation is Jan. 1, the date the state attorneygeneral can start enforcing the CCPA is set to be no later thanJuly 1.
|But even without an active attorney general, there are likely tobe plenty of CCPA battles before the summer. "With regard to theprivate right of action that exists under the statute, there is nodelay to bring [those] actions," Leipzig said.
|And there are already signs that litigation may ramp up quickly."We are already seeing that there are some 13 cases in Californiathat have already been filed that expressly mention the CCPA, andthere's another 14 that lift language from the CCPA," Leipzigadded.
|'Reasonable' security is required
The CCPA isn't all about privacy. In fact, the regulation alsomandates that covered entities maintain reasonable securityprocedures, something that does not get as much attention as thedata handling requirements. "It certainly hasn't been focused onand it ought it to be," Schreiber said.
|To be sure, exactly what constitutes "reasonable"security isn't clarified in the CCPA. Still, Schreiber said thatthere are hints in what the state expects given its past positions."The California attorney general years ago in other pronouncementsidentified the 20 CIS [security] controls —which is this fairlyintense and robust set of security standards—as being whatCalifornia would look to. So that's been out there for some yearsand those are fairly granular in terms of the different componentsthat need to be looked at."
|Read more:
Complete your profile to continue reading and get FREE access to BenefitsPRO, part of your ALM digital membership.
Your access to unlimited BenefitsPRO content isn’t changing.
Once you are an ALM digital member, you’ll receive:
- Critical BenefitsPRO information including cutting edge post-reform success strategies, access to educational webcasts and videos, resources from industry leaders, and informative Newsletters.
- Exclusive discounts on ALM, BenefitsPRO magazine and BenefitsPRO.com events
- Access to other award-winning ALM websites including ThinkAdvisor.com and Law.com
Already have an account? Sign In
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
Rhys Dipshan
CT-born, New York-based legal tech reporter covering everything from in-house technology disruption to privacy trends, blockchain, AI, cybersecurity, and ghosts-in-the-machine. Continually waiting for law to catch up with tech. (It's like waiting for Godot, but without the clowns)
