California's Consumer Privacy Act of 2018 is still ramping up but already there's a 2.0 version in the works

The California Privacy Rights Act of 2020  (aka CCPA 2.0), a ballot initiative spearheaded by Californians for Consumer Privacy, the same group behind the original CCPA of 2018, was formally certified on June 25, 2020 by the California Secretary of State as having received enough signatures (more than 900,000) to appear on the November 3 ballot for California voters.  With that level of support, its passage is widely considered a fait accompli.

Meanwhile, the California Attorney General, whose enforcement powers went into effect on July 1, has served notice that he intends to begin enforcing the law now despite the fact that the final proposed regulations to implement the CCPA have not yet been adopted and may not be until early next year.  

All of which has left enterprises in a state of high uncertainty.  I spoke to Karen Schuler, a Practice Leader at BDO's Governance, Risk & Compliance National Practice and Principal at BDO Digital, about the new developments:

I think the lesson here is that CCPA and GDPR aren't the final say in data privacy-more regulation is coming as both legislators and the public better understand the persistent nature of data privacy threats. The sheer volume and variety of data privacy legislation makes data governance and management much more difficult. As of 2020, all 50 states have some type of data privacy law, from basic data privacy notification obligations to cybersecurity and monitoring requirements. Companies have to know which regulations apply to them, then design responsive compliance processes while avoiding redundancy. These processes are not easy or simple either. 

The proposed regulations on the November California ballot initiative certainly have a lot of flavor of GDPR; enhancing individual rights, requiring that you're able to locate data, that you can minimize data,  that you have a legitimate use for it.  There are provisions about consent  and requiring consent in certain situations to opt out functionalities. 

If this passes in November I can tell you that it will very close to being as stringent as GDPR, especially when you map it out line by line.

The final version of the CPRA of 2020 would allow consumers to correct personal information; limit businesses' use of "sensitive" personal information (like a consumer's precise geolocation, Social Security number, race, ethnicity, religion, genetic data, union membership, private communications, sexual orientation, health and biometric information); apply the CCPA's provisions on "sales" of personal information to certain "sharing" of personal information as well. 

It would establish stricter data retention periods; carry increased penalties for violations; and-significantly--establish a California Privacy Protection Agency to enforce and implement consumer privacy laws at a cost of approximately $10 million a year. It would also enhance children's privacy by tripling fines for violations of the CCPA's opt-in to sale right and creating a new requirement to obtain opt-in consent to sell or share data from consumers under the age of 16.  

In the face of so much global movement toward regulatory change, Schuler says enterprises should take a cyclical rather than linear approach toward building a compliance infrastructure:

Linear approaches are good for small companies who can say, for example, I just have to comply with CCPA and GDPR and that's all I need to pay attention to. If you operate in the U.S. and globally, you really have to find a way to take a more cyclical approach which is like saying I have to comply with 50 different laws around the world so I need to figure out which ones are the most stringent and focus on how to follow the toughest requirements or guidelines in each regulation. That's why BDO is encouraging companies to take the broader cyclical approach.

There is nothing easy about responding to even the most basic requests for information, Schuler says.  For example, consumers who simply want to know what information the company has about them:

If you don't have a program to respond to specific requests for information, you're going to be challenged by the new breed of regulations.  You have to go back and find which information you actually have on the system and where it is.  Surprisingly, that is very difficult for companies to do.  I am Karen Schuler and you have go back and find every piece of data and report back even specific information or even the categories of information.  That is a huge task. 

Then, there are even larger challenges like the history you have with the consumer or there are lengthy documents that you have to go through to make sure that it's redacted properly or there's personal information you don't want to convey. This is time-consuming and laborious.

What about all the new data privacy management platforms like OneTrust that automate many of these processes, I asked:

They're good and we work with them but we have not found one company that has been able to fully automate their consumer or data subject response capabilities.  There are portions of it that have always required human interaction.

Another difficult business challenge is the ability to erase records if a consumer says I don't want you to have any further information about me but there may be parts of the old record that you need to retain for other regulatory purposes. So, it's hard.  

My Take

With enterprises drowning in a sea of ever-expanding data and regulatory sharks circling ever closer, it seems apparent that implementing a strong data privacy

program is crucial to survival. According to BDO's Technology CFO Outlook Survey, CFOs see data privacy as a triple threat: It is the top regulatory concern, top business threat and rated as one of the biggest business priorities among this group. As Schuler put it: 

It is more important then ever for companies to incorporate "privacy by design"-a concept that prioritizes consumer privacy in the systems that collect and store personal data-at the beginning of all new digital initiatives. Sorting it out afterwards is an expensive and laborious task.  

If passed, some provisions of the CPRA would be effective on January 1, 2021, most compliance obligations would be required by January 1, 2023, and the CRPA would be enforceable by July 1, 2023.