Last week, myself and members of the RADAR team were able to attend the IAPP CCPA Comprehensive in Fremont, California. This day-long program focused on the California Consumer Privacy Act (CCPA), with a special focus on the act’s scope, definitions, General Data Protection Regulation (GDPR) inspiration, and areas for further clarification.
Throughout the day’s conversations and session topics, one thing became clear: organizations preparing for compliance with the law by its effective date in 2020 are aiming to hit a moving target.
In one session, it was estimated that over 200 proposed amendments to the law are currently under consideration. Given the flurry of activity around this pending regulation, it seems unlikely the act will remain unchanged in the months leading up to its effective date. The question then becomes, with less than a year until the CCPA becomes enforceable, how can organizations begin preparations knowing the ground beneath them will continue to shift?
Data Breach Notification Requirements and the CCPA
Before we address the question of how to prepare when the law is by no means in its final state, it’s important to note that the CCPA introduces key privacy requirements for businesses and grants consumers new rights regarding their personal information, but does not add to or change breach notification obligations under existing general data breach notification sections of the California Civil Code and California Health and Safety Code. The RADAR regulatory team will continue to monitor any amendments to the act that would impact breach notification obligations.
Preparing for the CCPA as the Law Continues to Shift
Given the many aspects of this regulation that are likely to change in the coming months, the best any of us can do to prepare is to remain informed of the most recent version of the act, and work in advance to button up privacy practices and implement general best practices within our organizations. New, more stringent regulations such as the CCPA and the GDPR can be a driving force for companies to take notice of key privacy issues within their organization, to align their practices and policies, and to effect real change in how they manage and protect the data they are entrusted with.
In that regard, here are a few areas any privacy team should consider as they operationalize their privacy program more generally, and prepare for compliance with the CCPA specifically:
Streamline processes: Whether you’re responding to a data subject request or an incident involving sensitive data, time is of the essence. Invest in systems and thoroughly detail organizational processes for every step of your privacy program.
Get the big picture view: Creating a strong culture of compliance requires transparency and the ability to view the privacy program’s workings from a high level. The ability to report on privacy program metrics and transparency in program objectives are key in getting the data needed for process improvements as well as executive and board-level reporting.
Stay informed: Regulatory complexity in state privacy law is just the tip of the iceberg. Every US state has its own breach notification law, and international laws such as PIPEDA and the GDPR further complicate the regulatory landscape. Privacy teams are challenged to remain aware of changing privacy laws well beyond the CCPA, and the ever-changing privacy regulatory landscape requires constant vigilance on the part of privacy professionals. Always-up-to-date law overviews, such as those found within the RADAR software, eliminate the costs and time necessary to monitor, research, and analyze these constant regulatory changes.
Sweeping Privacy Regulations: The Only Constant is Change
In a recent article, Doug Kruger discussed the very real challenges of remaining compliant with ever-changing privacy laws, and the constant refrain we hear from privacy professionals in the field is that the only constant in life is change.
Last year saw the GDPR’s effective date, which was heralded by many as a sea-change in the privacy landscape. When the CCPA was introduced, many likened the regulation to the GDPR due to its potential impact on privacy and businesses. According to Data Protection Report, 11 states have introduced legislation similar to the CCPA that, “if enacted, these laws would result in significant costs for businesses as they try to understand and put in place a privacy framework that would comply with this patchwork of US and non-US laws that often have overlapping and conflicting requirements. In fact, the level of complexity and uncertainty posed by these various changes in the legal landscape is leading businesses to call on the US Congress to step in and implement national comprehensive data privacy legislation.”
My point is that complexity in privacy law is likely to remain a core challenge for privacy professionals and companies need to be proactive to remain compliant. In general, high profile data breaches are raising public awareness of privacy issues and their impact on individuals, while privacy laws are only becoming more complex and stringent. This increased exposure and lack of legal certainty will require privacy professionals to continue to be vigilant in monitoring the ever-changing privacy landscape.
Resources for remaining ahead of changing privacy laws:
Free Law Overview Tool: This free tool from RADAR provides you access into valuable aspects of our law overviews, which include up-to-date summaries of breach notification laws for US, federal, and international jurisdictions.
The IAPP Resource Center: This is a portal for accessing recent privacy and security research, tips, worksheets, and more. Accessing some of this content will require an IAPP login.
RADAR Whitepapers and Guides: Here you will find research and best practices informed by our years of working closely with customers in privacy incident response. For attendees of our webinar in particular, we recommend the PIPEDA, GDPR, and US State and Federal Breach Notification Comparison Guide and our Regulatory Trends eBook.