As we mentioned in a previous blog in this series, CCPA started out as a ballot initiative in early 2018 and was signed into law in June of 2018. It goes into effect on January 1, 2020 and will be enforceable on July 1, 2020. The original CCPA ballot initiative was introduced by California real estate developer, Alistair Mactaggart, who realized the massive amounts of data companies collect and store regarding consumers during a conversation with a tech employee at a cocktail party.
After Mactaggart’s realization regarding the amount of personal data processed that consumers are completely unaware of, the Facebook Cambridge Analytica scandal that came to light in March 2018, and the EU’s GDPR becoming effective, California became the first state in the United States to initiate a state specific privacy regulation. Chicago and San Francisco proposed privacy legislation to protect personal data processed within their city limits. Brazil recently passed its own privacy legislation, the Lei Geral de Proteção de Dados Pessoais (LGPD), that closely mirrors the GDPR. Finally, New Zealand is in the process of reviewing a new privacy bill to amend its previous data protection legislation to account for technological changes. We will likely see more privacy legislation passed here in the United States, at a city, state, and federal level, as well as on a global level.
Not only will compliance with the potentially various privacy legislations become difficult, but it will also likely serve as a decision-making factor for organizations when determining which third-party vendors and service providers to engage with. Those that already have comprehensive privacy policies and procedures in place will likely prove to be the most successful. So, if your organization has not started down this path, there is no time to waste.
The key with the CCPA is to understand that it is not yet final. There has already been one round of amendments passed and it is likely more will follow. PossibleNOW and CompliancePoint will continue to monitor these changes to the CCPA as well as future privacy legislation and keep you updated on the various new requirements. Further, although the CCPA does not specifically require businesses to contractually oblige vendors and third-party service providers to comply with the CCPA, it is recommended businesses, subject to these requirements, contractually require vendors to assist the business in complying with certain rights requests, specifically the right to deletion and the notice requirements. Moving forward, businesses subject to the CCPA should consider implementing a formal onboarding process for new vendors to ensure they have some level of data protection policy in place as well as an ongoing monitoring and enforcement program to periodically monitor vendors for compliance.
The GDPR set the “golden standard” for privacy legislation and brought privacy to the forefront of both consumers’ and legislators’ minds. Organizations that have prepared for their responsibilities under the GDPR will likely be ahead of the curve in implementing new or adjusting current policies and procedures to meet their obligations under the CCPA and future data protection requirements.
Contact the experts at PossibleNOW and CompliancePoint to review your company’s obligations in regard to CCPA compliance. We can help assess your risk and provide solutions with our OnePoint workflow tool and Customer Privacy Request Portal. Contact us today.