As of July 1, enforcement of California’s digital privacy law began. However, though the hotly debated measure came into effect on Jan. 1 of this year, many companies dealing with sizeable amounts of consumer data are unprepared for the effects of the law’s full enforcement to kick in.
The California Consumer Privacy Act (CCPA) gives consumers inside — and often outside — the state the ability to make broad requests about the personal data related to them that companies may be holding. It allows consumers to request that companies not sell their data to third parties.
That data can include some of the most sensitive that users generate, such as financial and healthcare data, which means there are several potential risks to consumers if companies are not compliant, said Marti Arvin, executive advisor at CynergisTek, a company that performs CCPA readiness assessments.
“The risk to consumers would vary depending on a number of factors,” Arvin said. “It could be identity theft, reputational damage or discrimination based on the nature of the data compromised and who had access to it or who received the data.”
The reasons for a lack of readiness by companies for CCPA enforcement are unclear, and likely varied, Arvin said. Two likely reasons are uncertainty around the level of enforcement of the act and uncertainty about how long the law will be in place in its current incarnation.
The law — the furthest reaching digital privacy regulation in the United States — has long been controversial in the business community, but privacy advocates hail it. Several other states have similar legislation at various stages of development.
Companies were expected to comply with the law as of Jan. 1, but a six-month grace period was provided for the beginning of CCPA enforcement. It’s still somewhat unclear where compliance could be falling behind, or what the potential consequences are for companies that weren’t ready on July 1, Arvin said.
If a company receives a notice of violation from the state, it is entitled to a 30-day period in which it can resolve the issue, she said. If it does not correct the violation within that time period, the company would then be subject to fines of various sizes.
“The fines could be significant if the number of consumers impacted is significant,” Arvin said. “Twenty-five hundred dollars per violation is the minimum fine level, and it can go up to $7,500 for intentional violations.”
There is also a narrow private right of action for data breaches, Arvin said. “A risk here is the need to defend against class action lawsuits for significant data compromises,” she said. “Cases were filed prior to the July 1, 2020, enforcement date.”
Although not put into effect until the beginning of 2020, the CCPA was adopted in 2018. In March, multiple trade associations and business groups asked for CCPA enforcement to be delayed because of the COVID-19 pandemic, but California Attorney General Xavier Becerra declined that request.
The CCPA puts the onus on the consumer for information requests, and earlier this month Becerra said the state has already received some complaints about company responses to those requests. And as of July 1, California can send 30-day compliance warnings to companies found to be violating the law.
However, the CCPA in its current format could be short-lived, Arvin pointed out. In November, there will be an initiative on the state’s ballot for the California Privacy Rights Act, which would update existing legislation if it passes.