Many Companies Still Have Lots to Do Before CCPA Enforcement Begins on July 1, Holland & Knight Reports
SAN FRANCISCO (February 13, 2020) – Although most large companies committed significant time and resources to comply with the California Consumer Privacy Act (CCPA) in 2019, many appear hesitant to invest in implementing the new requirements found in CCPA's draft regulations issued late last year and updated on February 7, 2020, until the final requirements of the law are known, according to a new report from Holland & Knight. Read the full report here.
"A Report on Businesses' Implementation of the California Consumer Privacy Act in the First Month" is based on a survey of the websites of 125 top U.S. companies, including the Fortune 100, to assess how businesses have operationalized the CCPA's requirements despite lack of guidance from the state regulator. The survey was conducted between January 20 and 31, 2020.
Among the key findings:
- Implementation is California focused, with nearly 65 percent of companies surveyed restricting the access, deletion and do-not-sell rights that form the core of CCPA to California residents only. This finding is surprising given businesses' low expectations that the federal government will pass comprehensive privacy legislation in 2020 to preempt CCPA and similar state laws being considered across the country. Just over 20 percent of companies make CCPA rights available nationwide and almost 15 percent had made no website updates for CCPA.
"The range of approaches observed confirms that businesses are truly struggling to understand the nuances of the law and are hampered by not knowing the final requirements that will be enforced come July," said Ashley Shively, the Holland & Knight partner who authored the report. "Any company that has not made good faith efforts, however, risks becoming a target for enforcement, especially given that the California attorney general has been vocal about making an example of those companies that do not implement the new law properly."
Although the survey only looked at the publicly available aspects of a company's compliance and may not reflect the entire picture of a business's efforts to comply with the law, particularly after the attorney general released modified regulations on February 7, 2020, a website review was the most practical way to gauge the status of implementation.
About the Data Strategy, Security & Privacy Team: Holland & Knight's Data Strategy, Security & Privacy Team offers the full range of solutions companies need to operate in today's data-driven marketplace. The team has the broad set of litigation, legislative, legal, compliance, crisis management and technical experience required to develop holistic, tailored solutions for clients. The firm offers true one-shop capabilities with its full-service practice that addresses even the most complex cybersecurity and privacy issues.