Georgetown Law
Technology Review

On June 28, 2018, former Governor of California Jerry Brown signed into law the most comprehensive consumer privacy law in the United States. Some refer to the California Consumer Privacy Act (“CCPA”) as a mini-GDPR, the European Union’s consumer privacy regulation. The regulatory schemes in both the CCPA and GDPR do not neatly overlap. However, compliance with data privacy laws remains an issue, as witnessed with the enactment and enforcement of the GDPR. Businesses in the United States had almost a year and half to prepare for the CCPA’s major shift in U.S. consumer privacy. Yet, with just under two months before the CCPA takes effect, are companies ready?

In October 2019, a report showed that, among in-house legal professionals, sixty-eight percent of those surveyed showed little or no concern for the CCPA. Further research indicates that only about two percent of California companies considered themselves fully compliant as recent as August 2019. These results are troubling given the breadth of new obligations necessary for full compliance.

Companies may appear ill-prepared for CCPA compliance because of its impact on their bottom line. Estimates show that initial compliance costs may cost companies a total of $55 billion dollars. Those costs range from about $50,000 for small firms with less than twenty employees to upwards of $2 million for larger firms with more than 500 employees. These numbers do not account for the compliance costs over the next decade, which could hit as high as $16 billion. While businesses may be understandably reluctant to accept such high expenses, their hesitation should wane in the face of hefty fines for non-compliance. Businesses will face a $2,500 penalty per person for data treated outside of the CCPA’s requirements.

Despite these staggering challenges, California continues to make a concerted effort to get companies ready by January 1, 2020. Recently, California’s Attorney General, Xavier Becerra, released draft regulations to guide companies toward CCPA compliance. Becerra acknowledges the cost and complexity that CCPA presents to businesses. The draft regulations remove some of the ambiguity around what businesses need to do to comply. For example, the draft regulations provide guidance on key areas including notification to customers of their rights, response to customer data requests, and verification of data requests from customers. These also include verification of parental consent for children under thirteen. Lastly, the draft regulations make clear that GDPR compliance does not equate to CCPA compliance. This may not sit well with businesses already subject to the regulation.

Over the next two months, the draft regulations will be subject to input from the public at a series of forums. Further, while the law takes effect on January 1, 2020, there is up to a six month window before the California Attorney General will begin to enforce CCPA compliance. These should provide some relief to businesses as they begin to comply with CCPA.

California is not alone in its efforts to prepare businesses for CCPA. Private entities and associations are also offering compliance advice and assistance to companies impacted by CCPA. For example, the Interactive Advertising Bureau (IAB) has published a draft framework for its members to help them comply with CCPA. Likewise, private professional services firms, such as PricewaterhouseCoopers, published materials for clients and the public. The work done in the private sector is just as critical to ensure compliance by the January 1, 2020 deadline.

Time is not on anyone’s side as the January 1, 2020, deadline fast approaches. Companies seemingly did not prioritize CCPA compliance or effectively utilize the window between passage and effectiveness to adequately prepare for the CCPA. It will take an ongoing, cooperative effort between the state and businesses to address these compliance issues as we enter a new era of data privacy protections in the United States.