- As companies prepare for the California Consumer Protection Act (CCPA) to go into effect Jan. 1, 2020, the state's Attorney General Xavier Becerra released draft regulations for compliance. The attorney general's office can begin enforcing CCPA in July, six months after its enactment.
- The regulation requires businesses confirm a consumer's request to know or delete data within 10 days of receiving an inquiry. Businesses have to act on the request within a 45-day period, "regardless of time required to verify the request," according to the draft regulations.
- The regulations are broad-sweeping in identifying those who need to be compliant. Under the Civil Code section, any person or entity that provides services to a person or organization "shall be deemed a service provider for the purposes of the CCPA," according to the document.
While the road to data privacy legislation in the U.S. is nowhere near complete, California started paving it in 2018. Currently there's no federal data privacy law in sight, so state governments are picking up the slack.
In the interim, the Federal Trade Commission (FTC) is seeking greater authority from Congress to pursue data misuse cases. While the FTC can't act in the same way GDPR's data watchdogs can in terms of penalties, there are exceptions.
In July the FTC handed Facebook a $5 billion fine, nearly 20 times greater than the amount of a privacy or data security penalty "ever imposed worldwide."
Still, the FTC largely lacks the muscle needed to enforce data privacy. The CCPA, as of right now, has the opportunity to provide that muscle.
California legislators were crafting the CCPA right before GDPR went into effect last year. Though not directly modeled after the European Union's regulation, the CCPA is largely considered the first step toward a comprehensive law in the U.S.
The expectation for GDPR is not perfection, but its initial fines put a spotlight on how seriously companies are taking compliance. Does a business have the relevant protective measures in place? If the answer is no, a greater fine could be determined.
U.S. companies adopted a lot of GDPR's policies, whether or not they have business in the European Union, as they prepare for a U.S. version.