Signed into law on June 28, 2018, the California Consumer Privacy Act (CCPA) became effective on January 1, 2020. The next milestone will be on July 1, 2020, when the California Attorney General will begin enforcement for the CCPA.
Non-compliance can result in the maximum fine of $7,500 per violation. When you consider how many consumer records you hold, the potential fines could stack up quickly if you don’t take CCPA seriously. We still don’t know exactly what enforcement will look like since we haven’t yet approached July 1st, but the Attorney General has established a firm stance on compliance by stating,
“If they are not (operating properly) …I will descend on them and make an example of them, to show that if you don’t do it the right way, this is what is going to happen to you.” – Attorney General Xavier Becerra
Since nothing like the CCPA has surfaced in the US before, no one knows for sure what enforcement will look like. However there are several indicators of the AG’s intent on enforcing the CCPA.
The AG has a complaint link posted for consumers:
By setting up a mechanism (prior to July 1st) to empower consumers, this indicates the AG is serious about consumer rights and enforcement. This provides consumers with an easy way to post a complaint against a business.
If we look at what has happened with GDPR, what often drives enforcement is volume of complaints against a company and breaches which invites a complete review of that company. Large companies like Facebook and Google are obvious targets for the CCPA and are likely top of mind for the California AG, however that doesn’t mean he will ignore all others in scope.
“We will look kindly, given that we are an agency with limited resources, and we will look kindly on those that … demonstrate an effort to comply,”
-Attorney General Xavier Becerra
So, what does this mean for you? The best thing you can do to prepare for enforcement is to do SOMETHING. A complete lack of effort for compliance will be obvious. We believe that some of the easiest elements to enforce will be:
A clear and conspicuous link titled “Do Not Sell My Personal Information” on the home page and privacy policy.
The Washington Post published a list of enterprise companies that have the links available on their sites, they also reference several other resources that provide the links as well. This indicates consumers are already looking for this link, and if they don’t find it, it could lead to enforcement issues.
2. Intake Method
If you are in scope of the CCPA, you should provide a way for consumers to exercise their data rights. Having some kind of intake method and a process for responding to those requests will be key for enforcement compliance.
3. Notices
Request a demo of our privacy rights platform to learn how we can help you automate, organize and update your procedures to help meet compliance requirements under the CCPA, and future laws, one step at a time.
About Ale Johnson
Ale Johnson is the Marketing Manager at Truyo.