Getty Images/iStockphoto
What do a car dealership, a grocery store chain, an online dating platform and a pet adoption agency have in common? All were early targets of California Consumer Privacy Act enforcement, according to California Attorney General Rob Bonta.
While CCPA became law in January 2020, enforcement didn’t begin until that July. If a business receives a notice of alleged noncompliance, it has 30 days to rectify the issue without facing financial penalties. Of all organizations notified in the first year of enforcement, 75% promptly took steps to comply with CCPA, Bonta said in an official statement. The remaining 25% included some businesses still within their 30-day “cure” windows, as well as others under active investigation.
The first year of CCPA enforcement marks another stage in the evolution of data privacy in the U.S., with businesses getting serious about compliance or facing real consequences. “Things are changing, and it’s a good evolution, I think,” said Christophe Bertrand, analyst at Enterprise Strategy Group (ESG), a division of TechTarget. “But it’s also creating many complexities for data and security management from an IT standpoint.”
Research suggests organizations are well aware of the challenges they face. In May 2021, just 62% of enterprise leaders described themselves as knowledgeable or very knowledgeable about CCPA as it pertains to their businesses, according to an independent survey Golfdale Consulting conducted on behalf of privacy consultancy TrustArc.
CCPA establishes California consumers’ right to control their personally identifiable information. “The philosophy behind it is that your individual rights — your human rights, if you will — extend to your data,” Bertrand said. Then-Gov. Jerry Brown signed the bill into law in 2018, and it took effect on Jan. 1, 2020. CCPA enforcement began seven months later.
Under CCPA, California residents have the right to do the following:
Additionally, businesses cannot legally discriminate against consumers that choose to exercise the above rights by denying them service or charging them higher fees.
The only organizations subject to CCPA are for-profit companies doing business in California that collect consumers’ personal data and do the following:
It’s important to note that CCPA may apply to any business with customers or clients living in California, which means the law’s reach extends across the country, as well as Europe and the United Kingdom. As of 2021, California boasts the fifth largest economy in the world, with a growth rate that only China tops.
Few, if any, observers thought businesses were largely prepared to meet CCPA requirements by mid-2020. In May of that year — five months after the privacy law went into effect and just two months before CCPA enforcement began — Golfdale Consulting found more than half of companies had not even begun implementing their compliance plans. Twenty-nine percent were still in the preliminary planning stage, and nearly one in 10 had not started.
Encouragingly, however, ESG analyst Carla Roncato said her more recent research suggested enterprise data privacy and compliance programs are healthy overall. “Privacy is mature and mainstream,” she said, adding that large and midmarket companies of all kinds, across sectors, have maturity, competence and confidence in this area. “There isn’t a segment of the business landscape that is struggling with compliance more than others.”
But California’s new regulations seem to have thrown at least some organizations curveballs. A number of companies have already faced CCPA-related civil lawsuits, while many others received alleged noncompliance notifications during the first year of enforcement. According to the attorney general’s office, the latter group includes the following 10 unnamed businesses:
All of the above businesses reportedly took steps to achieve CCPA compliance within the 30-day statutory cure period, and the attorney general has not announced any fines to date. Under the law, civil penalties can run as high as $7,500 per CCPA violation.
Roncato noted that the threat of financial penalties isn’t the only, or even the primary, factor motivating companies to achieve and maintain compliance with privacy laws such as CCPA. In a 2021 survey, ESG asked 300 business and technology professionals in North America what concerns them most about noncompliance with government privacy regulations. The results were as follows:
“Really, it’s the whole rainbow,” Roncato said. “No single concern stands out, which suggests it’s a combination of factors.”
The responses show roughly equal levels of concern about possible operational, reputational and legal fallout, Bertrand added, which he took as a good sign. “It tells you people have a clear understanding that this is a business issue that goes far beyond technology,” he said.
A new, more aggressive iteration of CCPA, the California Privacy Rights Act (CPRA), will take effect in 2023. Experts say, where California goes, the country may soon follow. Colorado, Maine, Nevada and Virginia have already signed consumer privacy protection acts into law, and lawmakers in a number of other states have proposed similar bills.
The only problem? “The laws don’t align,” Gartner analyst Nader Henein said. Some have slightly different breach disclosure rules or varying restrictions around selling the information of minors, for example. For companies doing business in all 50 states, that could get complicated. “It’s not pleasant,” Henein added.
It’s possible the U.S. government could pass a national consumer privacy protection law that would supersede CCPA, CPRA and other state-level legislation. Otherwise, companies may have to contend with a patchwork quilt of overlapping but inconsistent requirements. “The worst-case scenario, which we seem to be heading towards, is multiple laws for privacy per state,” Henein said.
In the months and years ahead, companies can also expect increasingly large financial penalties for noncompliance with consumer protection laws, Roncato added. She cited the Canadian Consumer Privacy Protection Act as an example, which puts businesses on the hook for up to 5% of their annual revenue for violations. In the U.S. as well, “those fines are going to become very hefty,” Roncato predicted. “They start with that initial legislation such as CCPA, and then they back it more heavily with penalties.”
Once CPRA goes into effect in 2023, for example, each violation of a minor’s data privacy rights will carry an automatic $7,500 fine — triple what it currently is under CCPA.
Part of: CCPA compliance: Reality and best practices
It’s been more than a year since CCPA enforcement began, and organizations started hearing from the California attorney general. Explore 10 early cases of alleged noncompliance.
California leads the pack in terms of state regulations on data privacy and transparency. Now, it’s time for businesses to be proactive with this CCPA compliance checklist.
Existing risk management programs are a solid foundation for CCPA compliance requirements. Learn the privacy controls needed to remain CCPA-compliant and improve IT security.
Rather than feel the wave of top tech trends of 2022 wash over them, CIOs should focus on business goals to guide their emerging …
With the tech talent shortage in full force, IT talent development is critical for every organization. Learn the essentials of …
IT leaders who bypass strategy and go straight to selecting automation tools are courting failure. Here’s how to move toward …
2020 was the catalyst healthcare needed. Here we discuss how the industry is shifting to a virtual-first model and doubling down …
Forrester’s chief business technology officer explains how tools that capture data in real time can help healthcare organizations…
Check out this excerpt from the HCISPP All-in-One Exam Guide to learn more about privacy and security in healthcare, one of the …
Follow these guidelines to help craft a strategy for cloud migration testing, from key tests to run to common challenges and best…
Google, AWS and Azure offer machine learning certifications for the cloud that can further your career. Learn what to expect from…
Many of AWS’ re:Invent announcements highlighted enhancements to existing products, rather than new services. Here’s why the …
Data centers adapted to a new set of circumstances during the COVID-19 pandemic. As work and the pandemic continue to change, …
How does an organization decide the appropriate size and density for its data centers? Consider factors such as rack layout and …
Former VMware executive Rajiv Ramaswami remains embroiled in the VMware-Nutanix hybrid cloud war, but now he plays for the other …
NoSQL graph databases focus on the relationships between pieces of data. Two common frameworks bring different advantages and …
While conventional data warehouses may struggle to keep up with growing volumes of data, these five elements best give the …
Open source and cloud data management are becoming popular options to streamline information data management processes. Also, …
Quantum computing isn’t here yet, but now is the time for companies to start considering how it may affect their business — both…
APIs are an increasingly common attack vector for malicious actors. Use our API security testing checklist and best practices to …
Integrated Lights Out, HPE’s remote server management platform, has been compromised by intruders who are using it to install a …
All Rights Reserved, Copyright 2009 – 2022, TechTarget
Privacy Policy
Cookie Preferences
Do Not Sell My Personal Info
