cloudsystem

 

Whether anyone asked for the California Consumer Privacy Act for Christmas or not, the law is scheduled to officially go into effect on Jan. 1, 2020, and it's possible that many businesses still have some prep work ahead of them when it comes to updating their cloud agreements.

That insight arrives courtesy of Baker McKenzie's 2019 Cloud Survey, which garnered 190 responses from professionals across the globe working in roles that include legal, information security, sales, marketing, information technology, procurement and C-suite level.

While 80% of those respondents indicated they had amended cloud agreements as a result of the EU's General Data Protection Regulation, only 26% had done the same for the CCPA. An additional 44% said "not yet" with regards to the CCPA, while 30% answered "no."

So with the CCPA's implementation date right around the corner and enforcement expected to begin by July 2020, will organizations be able to make the necessary updates to their cloud agreements before the buzzer sounds?

"Certainly it's not an ideal time to be starting, but it's definitely not too late," said Adam Aft, a partner at Baker McKenzie.

He indicated that responses for the survey were actually collected over the summer and expects that the "yes" column might skew a little higher if respondents were asked the same question about their cloud agreements and the CCPA now.

Part of the delay may be attributable to the CCPA itself. Jarno Vanto, a partner at Crowell & Moring, pointed out that the final text of the privacy regulation won't be solidified until December.

"So that's made it somewhat challenging, for example, to come up with language for [cloud or other] agreements that will meet the CCPA requirements," Vanto said.

However, time may be a luxury that organizations can't afford. Christopher Ballod, a partner a Lewis Brisbois Bisgaard & Smith, said that by the time December rolls around, the process of ironing out all of the mechanics involved in a cloud agreement, including putting mechanisms in place to satisfy subject data requests, may be too much to accomplish before the CCPA's implementation date. 

While having previously undertaken a similar process to comply with the GDPR may provide impacted parties with a data map and a framework to start from, the CCPA adds a new wrinkle in the form of a private right of action that could find organizations and their cloud providers embroiled in a protracted game of hardball negotiations over where the burden of that liability falls.

"The risk is potentially uncapped, right? You have an unknown as to what litigation can end up looking like," Ballod said.

Beyond the scope of the risk involved, there's also the reality that organizations have more agreements than just those pertaining to a cloud provider that need to be brought up to speed with CCPA. According to Vanto, all agreements involving a vendor that has access to a consumer's personal information will have to be revisited to ensure compliance.

"It's reasonable to say that there will not be enough time. In some cases, we're looking at hundreds of agreements per company and thousands of agreements," Vanto said.

The enforcement timeline may buy companies more time to get up to speed, but it would not be wise for organizations to treat the Jan. 1 implementation date too flippantly. Aft indicated that movement toward compliance is not the same thing as actually being compliant in the eyes of regulators.

"That would be great if that were the case, but unfortunately that's not quite the way it works," Aft said.