It’s amazing how slowly government works some times.  The California Consumer Privacy Act was passed in 2018. With more than a year warning for companies to comply, it went into effect in January 2020.  Enforcement was held off were the regulations were being finalized.

There have been many changes, including a redefinition of what classifies as personal information.  Other amendments were added in October of 2019.

On August 18, 2020 – nearly two years after being passed into law – the regulations were finally finalized.

“With these rules finalized, California breaks ground and leads the nation to protect and advance data privacy. These rules guide consumers and businesses alike on how to implement the California Consumer Privacy Act. As we face a pandemic of historic proportions, it is particularly critical to be mindful of personal data security.” – Xavier Becerra, California Attorney General

A copy of the approved final regulations can be found here.

First Warning Letters Went Out in July

The first warning letters were sent in July.  The California Attorney General provides notifications of violations and gives companies 30 days to come into compliance or face enforcement actions.  The law allows fines from $2,500 to $7,500 for each violation.

CCPA is one of the strictest laws in the U.S.  Businesses are required to allow California residents to access or delete personal data from records.  In addition, businesses must allow residents to opt-out of being included in data-sharing arrangements or selling of their data.

If you serve or employ California residents – regardless of where your business is physically located – CCPA will impact you.  Here are the five key areas you need to address in your strategic planning:

  1. How you collect and store data
  2. How you use or sell data to third-parties
  3. Individual’s rights to opt-out of data selling
  4. Compliance by third-party data processors
  5. Monitoring, tracking, and proactive remediation of security gaps and vulnerabilities

Here’s how CCPA stacks up against GDPR, the EU’s data privacy regulations.

Beyond CCPA, Look Out for CPRA

There’s already a movement in California for stricter laws and larger penalties.  CPRA, the California Privacy Rights and Enforcement Act of 2020, has been filed to create a statewide ballot initiative in the fall.

The same group behind CCPA, Californians for Consumer Privacy is pushing the new effort.

CPRA would go even further in granting consumer rights than the current CCPA.  One of the main tenants is adding additional items, dubbed sensitive personal information (SPI) to the list of what is regulated.  They include collecting data such as:

  • Passports
  • Social security number
  • Driver’s licenses
  • Religion
  • Race
  • Union Membership
  • Personal communication
  • Genetic data and other health information
  • Information about sex life or sexual orientation

The ballot initiative also establishes a consumer privacy agency to oversee it all, including $10 million from the California General Fund to staff and enforce the regulations.