Gary A. Kibrl
Partner
Davis & Gilbert, LLC

The California Consumer Privacy Act (CCPA), a comprehensive state privacy law that was passed and subsequently amended in 2018, is continuing to raise questions for businesses operating in California. The law becomes effective January 1, 2020, though it will not be enforced by the California Attorney General’s office until the earlier of six months after regulations are issued, or July 1, 2020.

However, given the increasingly complicated and confusing privacy landscape that lies ahead, it is critical that businesses begin to make changes now, to ensure they are compliant well in advance of the commencement of the CCPA enforcement period and other state privacy laws.

Compliance will require far more than just surface-level cosmetic changes.  For example, businesses will be required to respond to consumer data access requests, and these requests will include a one-year look-back, meaning businesses need to be able to update data record-keeping processes and procedures for the period that is one year prior to the CCPA becoming enforceable.

Additionally, compliance with the European General Data Protection Regulation (GDPR) does not ensure compliance with the CCPA as there are key differences.

Member firms that collect any personal information from California residents – even when they are not in the state — should work with outside counsel well-versed in privacy law and the CCPA in particular, and thoroughly assess the applicability of the CCPA to their business.

Specific steps to begin taking now include:

  • Review and track your data collection practices
  • Maintain records of data processing activities
  • Review policies and identify gaps with GDPR
  • Review external privacy policies and other consumer disclosures
  • Plan how to proactively communicate with your consumers about CCPA compliance
  • Stay up-to-date on Federal privacy developments
  • Assess third party roles and relationships with regard to customer data and privacy

Be aware that the CCPA, and the GDPR, are just two laws dealing with the privacy space.  Several states have passed or are soon to pass privacy laws of their own, and the Federal government is considering doing the same, and that outcome could potentially modify and/or supersede the state laws.

More detailed intelligence provided by Davis & Gilbert can be found here.

Back to blog