UPDATE: July 1, 2020: Enforcement for the California Consumer Privacy Act began Wednesday. Several organizations are urging for a delay of enforcement because the rules are not yet finalized. However, California Attorney General Xavier Becerra maintains businesses should have been compliant since its enactment on Jan. 1.
The law is reliant on consumers initiating data requests and complaints with companies. "It'd be very awkward to continue another six months as some companies were requesting where people would have rights, companies would have obligations, but no one would be there to make sure those rights are being complied with," Becerra told The Washington Post.
With the California Privacy Rights Act ballot initiative heading toward November, lawmakers are expected to continue iterating in the near term.
After several rounds of comment periods and amendments, California Attorney General Xavier Becerra submitted the latest round of proposed rules this week for the California Consumer Privacy Act.
Becerra's timing caught industry by surprise as the U.S. grapples with protests following the killing of George Floyd, an economic contraction and a pandemic.
"I'm still in shock," Heather Federman, VP of Privacy & Policy at data privacy firm BigID, told CIO Dive, referring to the timing of the rules' publication. The latest proposal might get lost in the shuffle.
But Becerra, on a July 1 enforcement deadline for finalized language, requested an expedited review of the proposal. Companies dealing with the economic downturn have to also contend with the country's first comprehensive data privacy law.
Some companies with the resources, such as Microsoft, are broadly applying the CCPA's rights across customers. However, not all businesses have the resources to provide universal compliance; 50 laws for each state could become a compliance conundrum.
Becerra's proposed regulations differ slightly from the regulations shared in March, leaving vagueness unaddressed. Definitions, accessibility rules and data value calculations leave room for second guessing compliance.
"I think everyone was hoping that the regulations would be putting the business community at ease," said Federman. "While it has perhaps shed some light on what he's thinking, it hasn't been overly helpful."
Following the Jan. 1 enactment, business anticipated the inundation of consumer requests to immediately follow. While enforcement neared, COVID-19 hit stateside.
Companies strapped for cash, staring down a recession, laid off employees, including those who might have been trained for handling customer service requests, according to Hederman.
IT spending already dropped 8% in 2020 and Gartner expects it to take years to rebound. Privacy budgets, if not entire preparation efforts, were impacted by the pandemic.
Before January, the primary goal was data mapping and issuing a privacy notice for consumers. Companies are likely applying an 80/20 rule to determine their compliance priorities, hoping to prove to regulators that when budgets recover they can complete their checklist, according to Federman.
But Becerra is unrelenting with the enforcement date. The potential security risks companies exposed themselves to during COVID-19 are top of mind for regulators. "I think that's the reason why," Becerra isn't backing down on July 1, Ameesh Divatia, co-founder and CEO of Baffle, told CIO Dive.
Becerra wants the finalized rules drafted in time to act on possible COVID-19-related security breaches, Divatia said. "Certainly every enterprise in the world became online … they did the right thing by saying 'no we're not going to push it back.'"
While Becerra is sticking to the original enforcement date, the AG Office might be "a little more sensitive to a retailer versus a tech company," Federman said
What lies ahead
Critics of the General Data Protection Regulation (GDPR) say it has not found its teeth, despite historic fines across industries. But enforcement has moved slowly, with regulators pursuing major privacy and security breaches, leaving other infringements alone.
Privacy experts expect the CCPA to run a similar operation: Fry the bigger fish.
Eventually, the California Privacy Rights Act (CPRA), a ballot initiative pushed by the same individuals behind the CCPA, could tie up loose ends in penalties — or complicate it further. The CPRA's place on the November ballot is still uncertain.
The CPRA would amend the CCPA with more rules and creates more confusion for companies struggling with compliance.
The CCPA requires companies quantify their data by its impact on the business. If there's room for business to interpret certain rules, they might fall short of accurately characterizing their use of data. The CPRA could help companies that believe their data is more secondary to their primary services, or lack the tools needed to craft a reliable valuation, according to Federman.
"I've actually seen business plans being circulated which talk about data innovation in there to figure out how to find value and then how to protect it," said Divatia.
Other lingering ambiguities in the proposed rules could offer loopholes for companies to fall into. The rules state businesses that do not maintain data in a "searchable or reasonably accessible format," could be excluded from searching for personal data in requests to know.
Organizations have to contend with vague terminology and determine if:
- Unstructured data circumvents compliance
- Searchable data equates to structured data
One of the most glaring issues is the "connection of data is somewhat inadvertent," said Divatia. "Just because you do business, people give you data and that in itself should not constitute a liability."
Exceptions to the regulation, such as Gramm–Leach–Bliley Act for the financial industry could undermine the extent companies comply with the CCPA. "Companies are having to make their own decisions about what to do, which will only end up being detrimental to the end user," said Federman.
Companies left to their own accord could interfere with thorough completions of consumer data requests.
"The law does explain various types of statutorily defined information, but when you really break it down to the nitty gritty, it's not clear how much electronic network activity you're actually supposed to provide in a way that would make sense to a consumer," said Federman.