Many Companies Still Have Lots to Do Before CCPA Enforcement Begins on July 1, Holland & Knight Reports

SAN FRANCISCO (February 13, 2020) – Although most large companies committed significant time and resources to comply with the California Consumer Privacy Act (CCPA) in 2019, many appear hesitant to invest in implementing the new requirements found in CCPA's draft regulations issued late last year and updated on February 7, 2020, until the final requirements of the law are known, according to a new report from Holland & Knight. Read the full report here.

"A Report on Businesses' Implementation of the California Consumer Privacy Act in the First Month" is based on a survey of the websites of 125 top U.S. companies, including the Fortune 100, to assess how businesses have operationalized the CCPA's requirements despite lack of guidance from the state regulator. The survey was conducted between January 20 and 31, 2020.

Among the key findings:

• Implementation is California focused, with nearly 65 percent of companies surveyed restricting the access, deletion and do-not-sell rights that form the core of CCPA to California residents only. This finding is surprising given businesses' low expectations that the federal government will pass comprehensive privacy legislation in 2020 to preempt CCPA and similar state laws being considered across the country. Just over 20 percent of companies make CCPA rights available nationwide and almost 15 percent had made no website updates for CCPA.
• Companies that did not add a webform are vindicated in the latest update to the draft regulations. At the time of the survey, nearly a quarter of companies did not offer a webform for consumers to submit privacy requests. Unsurprising, Holland & Knight observed significant overlap between the companies that offer only email submission of requests and those that have a global privacy policy also covering GDPR, which only requires email for requests. Those companies that delayed building a webform were rewarded in the February 7, 2020, update to the draft regulations, which dropped the webform requirement. Twenty-seven percent of companies do not currently offer a dedicated toll-free telephone number for submission of consumer requests, another requirement that remained in the updated draft regulations.
• The approach to Do Not Sell varies widely – blame cookies. Navigating the ambiguity around cookies and similar tracking technologies to implement CCPA's Do Not Sell requirement is one of the most challenging issues companies face and where the survey identified substantial differences in implementation. Only 22 percent of companies surveyed include a Do Not Sell link in their website footer and less than 10 percent actually state in their privacy policy that they do not sell personal information. The remainder, 56 percent, are either silent on the point or acknowledge that they may sell personal information as defined under CCPA but do not provide consumers with a straightforward way to opt out.
• Notice of Financial Incentives is often not included in privacy policy. Just over half of the companies surveyed do not mention discrimination or financial incentives in their privacy policy. Of those that do, most address the financial incentive language in CCPA's draft regulations with a general statement that consumers will not be discriminated against for exercising their CCPA rights. Less than 10 companies acknowledged that they may charge a different rate or provide a different level of service. No surveyed company currently provides a "good faith estimate of the value of the consumer's data that forms the basis of offering the financial incentive or price of service difference" and a description of the method used to calculate such value in its privacy policy, as required by the draft regulations.

"The range of approaches observed confirms that businesses are truly struggling to understand the nuances of the law and are hampered by not knowing the final requirements that will be enforced come July," said Ashley Shively, the Holland & Knight partner who authored the report. "Any company that has not made good faith efforts, however, risks becoming a target for enforcement, especially given that the California attorney general has been vocal about making an example of those companies that do not implement the new law properly."

Although the survey only looked at the publicly available aspects of a company's compliance and may not reflect the entire picture of a business's efforts to comply with the law, particularly after the attorney general released modified regulations on February 7, 2020, a website review was the most practical way to gauge the status of implementation.

About the Data Strategy, Security & Privacy Team: Holland & Knight's Data Strategy, Security & Privacy Team offers the full range of solutions companies need to operate in today's data-driven marketplace. The team has the broad set of litigation, legislative, legal, compliance, crisis management and technical experience required to develop holistic, tailored solutions for clients. The firm offers true one-shop capabilities with its full-service practice that addresses even the most complex cybersecurity and privacy issues.