As California lawmakers weigh changes to the state’s new privacy law, many U.S. companies are making plans to comply with parts that aren’t likely to shift, privacy attorneys say.
State lawmakers are still considering amendments to the California Consumer Privacy Act, which takes effect Jan. 1, and California Attorney General
“Companies are moving full-throttle here to get in compliance with CCPA despite the amendments and the clarity that everyone is hoping for,” said
California’s new privacy law gives consumers more rights regarding the collection and sale of their personal information. Californians will be able to ask a company what information it holds on them and will be able to opt out of the sale of their personal data, among other things.
To be sure, some companies are taking a wait-and-see approach while lawmakers weigh amendments and Becerra drafts regulations. And the private sector is still trying to influence state officials. Becerra can begin enforcing the law July 1, 2020, or six months after he issues final regulations, whichever comes first.
Possible amendments include revising the definition of “personal information” as it relates to privacy protection, and clarifying whether the law covers employee data. But while such changes could be significant, they won’t change the core principles of the law, attorneys said.
“Sitting on the sidelines and waiting to see if the law changes in a meaningful way that could dramatically change the compliance obligations is a fruitless exercise—it is not going to happen. The fundamental principles underpinning the law are here to stay,” said
Data Inventories, Consumer Requests
Companies that do business in California and hold the personal data of many California residents should be making plans to comply with the law now, attorneys said.
“If you have a lot of exposure, you can’t afford to wait” because it’s uncertain whether there will be any major changes, said
Some companies may be delaying efforts because they’ve already taken similar steps to prepare for the EU’s General Data Protection Regulation, which took effect a year ago. But even companies that are holding back a little can make some preparations now, said
Besides doing data inventories, companies can update privacy notices to include disclosures around the collection of personal information, and establish ways for individuals to submit requests and to respond to those requests, attorneys said.
Covered businesses also should review agreements with existing vendors to determine which ones may be service providers or third parties under the law, develop a due diligence process to evaluate vendors’ data security practices, and evaluate a company’s own information security practices and incident response plans, Jolly said.
If a company isn’t in the process of getting into compliance with the aspects that it knows will affect the business, “it could be a real race at the end,” Bruno said.