Blog Post

Why CCPA Compliance is the Tip of the Iceberg for U.S. Data Privacy Laws

December 16, 2019

If data privacy is Wonderland, then CCPA is the rabbit hole. It’s an entry point that marks a gateway into a broader world of changing privacy standards. Related legislation, such as GDPR in the EU, started the trend — but CCPA marks a true evolution in the movement, particularly for U.S. data privacy laws.

Organizations can no longer cross their fingers and assume they’ll be able to continue business as usual: data privacy is swiftly becoming the norm. Wonderland is the new reality, and we’re all going down the rabbit hole whether we’re prepared or not.

CCPA, or the California Consumer Privacy Act, is a piece of legislation enacted in 2018, finalized by the California Attorney General in December 2019 and set to take effect at the start of the year with a compliance deadline of January 1, 2020. But this isn’t just a simple change in the state-level consumer protection. It’s a sweeping, comprehensive and convoluted law that has tremendous implications for law firms and the broader story of U.S. data privacy laws.

A staggering number of businesses will be impacted by CCPA and required to meet the standard of CCPA compliance, including many that aren’t located in California. It’s even likely to cover B2B organizations because of its broad definition of consumer information. In brief, CCPA will impact all for-profit businesses that:

  1. Have an annual gross revenue of at least $25 million or more;
  2. Buy, receive, sell, or share consumer data from 50,000 or more consumers, households, or devices; OR
  3. Gain a majority of their annual revenue from the selling of personal data.

For businesses that fail to achieve CCPA compliance, the consequences are noteworthy. Organizations will face statutory damages of up to $2,500 per violation; all customers are also entitled to a private right of action for up to $750. Crucially, suits will be brought by a class of consumers, so violations will add up quickly and lead to significant financial damages. And since it’s a statutory right of action, those customers won’t have to prove that the violation caused harm but merely that it happened.

The law itself has broad implications, and its application and nuances are still being finalized. For instance, if a consumer opts out of data collection, organizations need to ensure that they don’t discriminate against that individual as a result. But if someone in a household with a voice assistant opts out, how can the company continue to service the household without either violating the individual’s privacy rights or discriminating against them? Many of these complex use cases will be resolved in the coming years, but right now, there’s no clear answer.

Because of its uniquely broad reach, CCPA a perfect case study for the evolution of U.S. data privacy laws. Essentially, the push for CCPA compliance is shining an enormous spotlight on how companies use data, accelerating the activity initially spurred by GDPR. Even organizations not covered under the three prongs of CCPA will need to assess how they monitor, store, secure and use personal data.

Data compliance can be a huge opportunity — here's what we learned from GDPR. 

Beyond CCPA: The Broader Scope of U.S. Data Privacy Laws

The importance of CCPA compliance can’t be understood in a vacuum. In fact, CCPA should really be understood as a microcosm of the trend toward increased data privacy around the world. Far too many companies and firms consider themselves insulated or exempt from current data policy legislation. Maybe you don’t have any ties to California or your specific data usage isn’t covered by the legislation. But if you’ve been lulled into that false sense of security, it’s time to wake up.

Data protection is here to stay — and it’s already becoming the norm with a proliferation of U.S. data privacy laws:

That’s not to mention the myriad of laws around the world (over 100 countries and counting) or the enormous impact of GDPR in the E.U. The point is simple: CCPA is not a one-off concern. This legislation may have the broadest implications and may have attracted the most media coverage, but you need to consider CCPA a representation of the new norm.

So. Now what?

The key takeaway here is that it’s time to act now, whether or not you expect your firm to need to change practices for CCPA compliance. All organizations need to institute an information management and security system. That system must go hand-in-hand with a comprehensive assessment and overhaul of current data practices — you can no longer get away with a smoke-and-mirrors approach. It’s time to check under the hood instead.

How to Ensure CCPA Compliance (& Other Data Privacy Recommendations)

The scramble for CCPA compliance and the uncertain nature of the law has left many organizations overwhelmed or unable to proceed efficiently. The sheer breadth of change that organizations need to enact is often surprising. Data privacy has implications for more than just legal teams or privacy counsel, but also web updates, IT teams, cybersecurity, internal processes and more.

Law firms in particular find themselves in a murky middle ground, able to leverage a robust and comprehensive legal response (such as updating privacy policies and contracts) but unable to nail down a sound structure to implement those policies across every facet of the organization.

Data privacy, in short, is more than a legal issue. It’s a data processing and project management issue, too. Don’t underestimate the time and resource investment required to upgrade data practices and attain CCPA compliance. Compliance is a multi-step process that breaks down into assessment, remediation and enforcement.

1. Assessment

You need to conduct a gap analysis to assess your current compliance status, where you fall short and how to address those gaps. At Exigent, we always recommend leveraging an information security management system that meets the standards of ISO certification.

2. Remediation

From there, you can make policy recommendations and begin to amend affected agreements. It’s vital to conduct ongoing periodic audits as well. Those audits should regularly assess how you collect, record, store, disseminate and destroy personal information and ensure the integrity and safekeeping of all personal information.

3. Enforcement

CCPA compliance requires you to take concrete steps to notify data subjects, inform the individual whose information is being processed and confirm that they voluntarily assented to share information. You’ll also need to keep abreast of all changes to laws like CCPA in the upcoming months, including in how the laws are enforced, to monitor exactly how you’ll be affected. And it all needs to be done in collaboration with stakeholders across the organization.

In other words, compliance is a significant undertaking. For starters, you need to:

  • Conduct a gap analysis
  • Make policy recommendations
  • Amend agreements, including updating your website accordingly
  • Upgrade data security
  • Conduct regular and thorough audits
  • Implement a system to notify data subjects and collect agreements
  • Monitor all changes in relevant laws

With all of those moving pieces, the goal of upgraded and future-proof data privacy practices may sound lofty. But it’s no longer avoidable. In fact, it’s precisely because compliance is so difficult to ensure that organizations need to start the process as soon as possible. Proactively prepare your firm for the relentless proliferation of U.S. data privacy laws. It’s the difference between jumping into the rabbit hole with a map and a parachute and tumbling in head-first.

Luckily, compliance is far more achievable with the help of expert advisors who can handle the implementation and assessment of these changes. Exigent can be your white rabbit — we’ll guide you through the world of data privacy laws. Check out our compliance services or get in touch today.