How CCPA Compliant Is Your Business?

A Q1 CCPA Compliancy Checkup

At the turn of the year, the California Consumer Privacy Act (CCPA) created quite a stir. Businesses were scrambling to understand and comply with the expansive new privacy law. Now at the start of Q2, the July 1 enforcement date is less than three months away—a good time to assess how well your business measures up to the CCPA requirements.

In order to be CCPA-compliant, companies must:

• Determine if the regulation applies to their business.
• Try to make sense of the requirements.
• Count the cost of compliance (and noncompliance).
• Face the complexities of implementation.

Clearly, compliance is a challenge. In fact, dozens of trade associations recently sent a letter to California Attorney General Xavier Becerra asking to delay enforcement until Jan. 2, 2021. They fear the exceptional circumstances of the coronavirus pandemic as well as the “unfinished rulemaking on the CCPA” will delay their operational ability to be in full compliance by July 1.

Becerra said no. “Right now, we’re committed to enforcing the law upon finalizing the rules or July 1, whichever comes first,” said an advisor to the California AG.

The 3 “Vital Signs” of CCPA Compliance

Despite the back and forth, many businesses covered under the CCPA have progressed toward compliance. Consulting firm PriceWaterhouseCoopers (PwC) created CCPA Watch to report on emerging benchmarks. It’s a place to see how well you measure up as PwC continually analyzes how companies are meeting CCPA requirements. Their research covers three specific areas:

1. Offering a do-not-sell (DNS) link on company websites. A PwC team analyzed the websites of the 600 largest publicly traded companies and the 100 largest private corporations. As of mid-February, 16% of companies offered such a link, actually higher than was predicted.
   
   However, there is a heated debate over what counts as a data “sale.” Legal experts in the ad tech industry note that “The question of whether, and under what circumstances, the use of third-party cookies, pixels, tags, etc. constitutes a ‘sale’ and how to provide [Do Not Sell My Info] choices is a flashpoint in the debate over how to interpret the CCPA…There is a growing consensus that only a lawsuit or a government enforcement action will resolve this matter.”
2. Offering CCPA rights of access and deletion beyond California residents. PwC recommends organizations “plan for the long term” by providing these same rights to all consumers. However, their research found that the majority of companies have yet to do this. On the other hand, many well-known brands, such as Amazon, Apple, Facebook, Google, Microsoft, Netflix, and Starbucks do offer these rights to all Americans.
   
   Companies can extend CCPA rights to all their customers by allowing opt-out requests to be made online and by implementing an automated system for processing these requests. CCPA’s right to delete provision is similar to GDPR’s “right to be forgotten.” This similarity illustrates the importance of offering these rights to all consumers, wherever they live.
3. Operating a CCPA privacy rights portal: A business uses a portal to verify a customer’s identity before processing a request to delete, access, or opt-out of the sale of personal information. PwC researchers found “operational” CCPA rights portals on 40% of the 600 company websites they examined.
   
   As TechCrunch reports, however, many companies have made it more difficult and even “invasive” for consumers to exercise their rights. This is largely due to different interpretations of what compliance looks like.
   
   According to CCPA, companies need to verify a user’s identity to a “reasonable degree of certainty.” For some businesses, this means simply asking for an email address to send the data. Other companies require consumers to upload their driver’s license or state ID.

What’s Next

The California AG issued proposed modifications to the rule in February and again in March. The AG has until July 1 to finalize the law. However, the National Law Review warns companies that “the time is now for companies doing business in California to become compliant,” especially since the final regulations will be similar to the current version of the law.

July 1 will be here before we know it, and achieving a “healthy” level of CCPA compliance starts now. Because in a world of privacy risks, cyberattacks, and data breaches, your customers and employees have the right to control their personal information. And it’s our job to help them exercise that right.

Stay tuned to our blog for the latest articles on the CCPA, a federal privacy law, and all things data privacy.