The California Consumer Privacy Act (“CCPA”), signed into law in 2018, will become effective on January 1, 2020. Many organizations hoped that the California legislature would narrow the scope of the CCPA prior to its effective date, but the legislature adjourned without taking action to narrow its scope. For businesses, this means that preparations should be underway to comply with the CCPA before the California Attorney General has statutory authority to enforce the law on July 1, 2020.
The initial step for a business to develop a CCPA compliance program is to understand what personal information it collects and determine what it does with this personal information. Similarly, the business should review its policies and procedures regarding its collection and processing of this personal information, then conduct a gap analysis between its written procedures, actual procedures, and the CCPA. Understandably, this gap analysis will be challenging, given that the California Attorney General is expected to promulgate regulations under the CCPA this fall and several potential amendments are awaiting the California Governor’s signature. However, the substance of the CCPA should remain the same and actions should be taken to prepare.
For businesses outside of California, much like the GDPR, the CCPA is designed to be extra-territorial. This means that businesses outside of California that conduct business within the state, or with residents of the state, need to take steps to comply with the CCPA, or at least mitigate its risks. The time for a business to prepare for the CCPA is now, even though the law itself will continue to evolve.
VW Contributor: Alex Rainville
© 2019 Vandenack Weaver LLC
For more information, Contact Us