Too Late? Businesses Still Working on CCPA Compliance as Enforcement Starts
As CCPA enforcement start, many covered entities may still be struggling to understand whether the law applies to them and how to best tackle challenges around third-party cookies and data access requests.
July 01, 2020 at 10:00 AM
4 minute read
Enforcement of the California Consumer Privacy Act (CCPA) officially went into effect this week. But for many of the covered entities spread across the United States and abroad, compliance may still be a work in progress. Not only did companies face the unexpected logistical and financial hurdles presented by the COVID-19 outbreak, but there also still remains some lingering confusion over what abiding by the CCPA actually entails.
Liz Harding, a shareholder at Polsinelli, indicated that while there are some organizations that learned from their experience attempting to comply with the EU's General Data Protection Regulation (GDPR) in 2018, there will still be a significant number of companies that are not CCPA compliant as of Wednesday. Although California's regulation officially went into effect Jan. 1, Harding noted that some businesses are just now waking up to the stringent expectations of regulators.
"There is a little bit of a misperception that just updating your privacy policy is enough. And obviously there's a lot of other stuff that goes behind that as well. So these compliance projects are often sort of more substantive than companies realize," Harding said.
But not all businesses may have waited until the last minute to begin CCPA preparations. Laura Jehl, global head of the privacy and cybersecurity practice at McDermott Will & Emery, believes that most companies who really cared about compliance or felt that they were at significant risk made a push to get their house in order by Jan. 1.
However, those same entities may be indefinitely pushing off some of the more complex aspects of the CCPA, such as those pertaining to the use of cookies. Per the California regulation, a business to notify consumers if it sells personal information and give them the opportunity to opt out.
Jehl indicated that companies are still getting tripped up over the question of whether or not deploying third-party cookies on a website constitutes a sale. As a result, some are "punting" the issue entirely.
"Either just not addressing it as a sale at all, taking the position that it's not [a sale]. Or having these policies that I call 'conscientious objector policies' in that they say 'we don't think we think we sell your data but as it's defined under CCPA, it might be a sale and here's how you can opt out,'" Jehl said.
In some cases, the problem may boil down to sheer ignorance. Harding noted that some companies are of the sincere belief that they don't sell data—but actually do. "If I had a dollar for every client who said to me, 'well we don't sell personal information,' I'd be able to retire," she said.
Other compliance issues likely to continue beyond the July 1 enforcement deadline include the management of data subject access requests (DSAR). The CCPA requires companies to thread a small needle, verifying the identity of a person behind an incoming DSAR without inadvertently collecting more personal information in the process.
A more obvious hurdle may be the sheer volume of requests themselves, the number of which sometimes includes people who have never had any relationship to the company whatsoever. Jehl at McDermott indicated that privacy advocates have been asking random supporters to submit access requests to companies as way to audit CCPA compliance.
"We've seen a lot of people that when we do Google them, or look them up, appear to be lawyers of some kind … They may be trolling for some kind of lawsuit," Jehl said.
But the despite the difficulty involved, companies may do well to focus on streamlining and reinforcing their DSAR response process. Harding believes that consumer requests will be among the initial enforcement priorities for regulators, along with transparency around the use of personal data.
"Those are the areas I think we're going to see the most enforcement," Harding said.
Still, there's also the possibility the state Attorney General's Office won't be able to move as quickly as they would like due to the impact that COVID-19 has had on their own resources. "There's an interesting calculus going on about how much enforcement is there really going to be. It's a small, under-resourced office anyway," Jehl said.
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View AllLaw Firms Mentioned
Trending Stories
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250
