Looming California Privacy Law Has Companies Gearing Up

As California lawmakers weigh changes to the state’s new privacy law, many U.S. companies are making plans to comply with parts that aren’t likely to shift, privacy attorneys say.

State lawmakers are still considering amendments to the California Consumer Privacy Act, which takes effect Jan. 1, and California Attorney General Xavier Becerra (D) hasn’t yet issued draft implementing regulations. But many companies are forging ahead to figure out what data they hold, how they use it, and how consumers can ask for that data.

“Companies are moving full-throttle here to get in compliance with CCPA despite the amendments and the clarity that everyone is hoping for,” said Sarah L. Bruno, leader of Arent Fox LLP’s privacy, cybersecurity, and data protection group. Companies that fall within the scope of the law aren’t “waiting to see without taking steps to start getting toward a place of being prepared,” she said.

California’s new privacy law gives consumers more rights regarding the collection and sale of their personal information. Californians will be able to ask a company what information it holds on them and will be able to opt out of the sale of their personal data, among other things.

To be sure, some companies are taking a wait-and-see approach while lawmakers weigh amendments and Becerra drafts regulations. And the private sector is still trying to influence state officials. Becerra can begin enforcing the law July 1, 2020, or six months after he issues final regulations, whichever comes first.

Possible amendments include revising the definition of “personal information” as it relates to privacy protection, and clarifying whether the law covers employee data. But while such changes could be significant, they won’t change the core principles of the law, attorneys said.

“Sitting on the sidelines and waiting to see if the law changes in a meaningful way that could dramatically change the compliance obligations is a fruitless exercise—it is not going to happen. The fundamental principles underpinning the law are here to stay,” said Ieuan Jolly, co-chair of Loeb & Loeb LLP’s privacy, security and data innovations practice. While some of the details and definitions being discussed have “serious implications,” they won’t change the fundamental compliance requirements, he said.

Data Inventories, Consumer Requests

Companies that do business in California and hold the personal data of many California residents should be making plans to comply with the law now, attorneys said.

“If you have a lot of exposure, you can’t afford to wait” because it’s uncertain whether there will be any major changes, said Nancy Perkins, counsel at Arnold & Porter Kaye Scholer LLP who focuses on data privacy and security.

Some companies may be delaying efforts because they’ve already taken similar steps to prepare for the EU’s General Data Protection Regulation, which took effect a year ago. But even companies that are holding back a little can make some preparations now, said David Zetoony, a data privacy and security partner at Bryan Cave Leighton Paisner LLP.

Besides doing data inventories, companies can update privacy notices to include disclosures around the collection of personal information, and establish ways for individuals to submit requests and to respond to those requests, attorneys said.

Covered businesses also should review agreements with existing vendors to determine which ones may be service providers or third parties under the law, develop a due diligence process to evaluate vendors’ data security practices, and evaluate a company’s own information security practices and incident response plans, Jolly said.

If a company isn’t in the process of getting into compliance with the aspects that it knows will affect the business, “it could be a real race at the end,” Bruno said.