CaCPA – How to Hit a Moving Target

Published On September 25, 2018

Privacy compliance reached a new level of executive visibility when the California legislature passed the California Consumer Privacy Act of 2018 (CaCPA) this past June. Companies, consultants, and privacy professionals have been pouring over the law and monitoring amendments to it so they can assess the impact to operations, understand the financial implications, and formulate a plan to meet the “final” requirements of the law.

It is important to emphasize planning for compliance with the “final” version of the CaCPA, as the first amendment to the Act (SB-1121) was approved by the California Governor on September 17, 2018 and new revisions and requirements are expected to it before enforcement begins in July 2020. Meanwhile, additional privacy legislation is currently being contemplated by other states and Congress.

Adding to the uncertainty are recent remarks from Lindsay Walters, the president’s Deputy Press Secretary, advising that the White House National Economic Council intends “to craft a consumer privacy protection policy that is the appropriate balance between privacy and prosperity” and has reportedly been meeting with large corporations and trade associations to gather input. Thus, it can be said with a high degree of confidence that privacy compliance requirements in the United States are likely to continue evolving.

Planning for Change

Given that U.S. privacy law is somewhat in a state of flux, organizations everywhere are asking what they need to “know and do now” to best position themselves to respond to evolving privacy laws and requirements.

What You Should Know

• There is no certainty. The CaCPA was the first significant state privacy law passed in the United States. It was amended within the first 3 months of passage and is likely to be revised again before enforcement begins. Other states and/or Congress may enact new privacy laws with different requirements. Privacy compliance requirements will change over time. It is important to have trusted advisors and tools (internal and/or external to the organization) to monitor and communicate privacy law changes, facilitate discussions about the impact and risk of such changes, develop a strategy and plan to implement agreed upon compliance activities, and ensure and validate that compliance has been achieved within the requisite time period.
• There will likely be at least some impact to your organization. Resist the temptation to “wait and see” because you don’t believe the CaCPA , GDPR or other privacy laws apply to your organization. You may miss a great opportunity to mitigate risks, implement more effective processes and technologies, and respond more quickly to data breaches.
• You may lose potentially significant revenue opportunities. Privacy compliance is required to do business with clients that are subject to such laws. Be sure to carefully evaluate the impact of taking action — or not taking action – and ensure appropriate stakeholders and decision makers are involved in such discussions.

What You Should Do 

• Adhere to good information governance practices. Organizations must utilize effective information governance protocols to manage and protect personal data. Review your information governance processes, policies, standards, and metrics. Update them if necessary to appropriately balance “privacy and prosperity.”
• Maintain a current inventory of your organization’s personal data. If you don’t have an accurate and up-to-date inventory of all the personal data your organization collects, stores, processes and shares then this should be your top priority. Not having an accurate personal data inventory is a significant risk to your organization regardless of privacy compliance requirements because it inhibits your organization from adequately protecting the data and responding quickly to a data breach.
• Allocate sufficient resources to monitor and assess changes to personal data and breach notification laws. All 50 US states have enacted breach notification laws. Twenty-five states and Congress currently have breach notification-related bills pending as of September 2018. One cannot understate the importance of knowing what personal data you have, where it is located, and ensuring appropriate safeguards are in place to protect it. This foundational work is key to complying with new legal requirements that may arise.
• Leverage the tools you already have. If you have already implemented policies, procedures, and technologies to comply with GDPR, then you will be able to leverage some of the tools you already have available. Similarly, if your organization already has good information governance practices in place, then it should require less effort to tweak policies and procedures to comply with new privacy requirements.
• Run through some “what if” scenarios. Understand what it would take (resources, costs, time) to bring your organization into compliance should it be necessary. Determine whether it makes sense from a financial and/or risk perspective to take actions now that could help you comply (or gain a strategic advantage) later.

Organizations must remain agile and be prepared to adapt to change given the myriad of privacy, breach-notification and cybersecurity law updates expected in the United States during the coming years.

This is even more critical for organizations with a global footprint as privacy laws continue to expand and evolve across the globe. Plan for change now and your organization will be prepared to meet the compliance requirements of the future.

Personal data is just that – personal – and it is the responsibility of each organization to respect and protect it. The risks and consequences of failing to do so are too great to ignore. When customers don’t trust your brand – they will stop being your customers. The consequences of failing to operationalize privacy and comply with applicable laws are hitting bottom lines harder than ever.