With just over two months to go until the July 1 enforcement of the California Consumer Privacy Act, privacy professionals are zooming to get ready.
Julia Shullman, chief privacy officer and general counsel at TripleLift, has lost track of the number of CCPA prep calls and video chats she’s been on since the coronavirus lockdowns started in mid-March.
Instead of being able to meet up with the product and engineering teams for whiteboard sessions or sprinting over to a colleague’s desk with a quick question, “I’m Slacking folks to make sure they aren’t on kid duty,” Shullman said.
“We’re all just trying to put one foot in front of the other and making sure preparation doesn’t fall down on the list of priorities,” she said. “Because enforcement is coming up.”
Don’t put it off
Amid the barking dogs, the homeschooling stress, crying babies and unstable Wi-Fi connections, compliance folks need to focus on the complicated and nuanced work of developing a data protection framework.
“Complying with a new law of the magnitude of CCPA always takes a tremendous effort, and this new environment makesit extra challenging,” said Alice Lincoln, VP of data policy and governance at MediaMath.
Preparing for CCPA enforcement also requires resources that some companies are being forced to divert to what they perceive as more immediate needs, such as employee safety or business continuity plans, said Kenesa Ahmad, a partner and co-founder of privacy and data protection consulting firm Aleada Consulting.
Some companies, Ahmad said, are “putting privacy compliance on hold” and delaying any expense they don’t consider imperative right now. For startups trying to stay afloat, privacy compliance is not considered an essential, she said.
Even for companies plowing ahead, such as TripleLift, it’s harder to get the attention of big clients and industry partners, as lawmakers focus on stimulus bills, Shullman said.
And yet, California Attorney General Xavier Becerra has signaled that his office doesn’t plan to defer enforcement from July 1, as requested by numerous ad trade organizations, including the Association of National Advertisers. In early April, Becerra also issued an alert reminding consumers of their data privacy rights under CCPA during the COVID crisis.
“The unfortunate impact of the timing of CCPA and this pandemic is that companies are resource constrained and preoccupied,” Shullman said. “The result is that large platforms and large companies that already benefit by the structure of this law benefit more, because they have the resources to focus on the strategic implications.”
But there’s still a lot that companies can do to get ready for CCPA enforcement remotely.
“We still hold weekly meetings, only instead of in person, they’re virtual,” said Rachel Glasser, chief privacy officer at Wunderman Thompson.
Companies can also do virtual training sessions. Under the law, businesses are required to provide CCPA training to any employees that handle personal information or field consumer inquiries about privacy practices, said Müge Fazlioglu, a senior research fellow at the International Association of Privacy Professionals.
Data mapping exercises, vetting vendors and other partners based on their adherence to privacy principles, legal assessments of data practices and running data protection impact assessments are all more challenging remotely – but doable – and shouldn’t be neglected, said Fazlioglu. And neither should creating auditable records of all the steps that were taken.
“Ultimately, what companies should be doing right now depends on where they are in the compliance journey, while keeping in mind that compliance is indeed a journey and not a destination,” Fazlioglu said.
Just don’t forget to “wear pants” on your journey, Glasser joked.
“In all seriousness, though, stay focused, communicate with your team regularly and keep moving forward,” she said.
These uncertain times …
CCPA prep is also complicated because the attorney general’s implementation regulations aren’t finalized yet and, after months of back and forth and multiple drafts, businesses are still waiting.
Given these constraints, the industry has pretty much done as much as it can for the moment, Shullman said.
It’s also unclear how active the AG will be on the enforcement come July.
From one perspective, it’s “hard to imagine the AG really enforcing CCPA in the midst of a global pandemic” that’s created such profound disruption of the US economy, said MediaMath’s Lincoln.
Still, “a crisis doesn’t suspend the law,” she said.
And companies that get lax and assume the AG won’t enforce right off the bat might get hit.
Nothing could be easier for a regulator than visiting a website to check for privacy notices, for example. Or making sure a company is providing the requisite contact info consumers need to exercise their access and deletion rights.
There’s a lot of low-hanging fruit out there, said Wayne Matus, general counsel, VP and co-founder of privacy compliance firm SafeGuard Privacy.
“If I’m a regulator, I’ll have millions of consumers reporting to me and plaintiffs’ lawyers dying for business,” Matus said. “I’m not worried about a lack of enforcement here.”