Four months after the General Data Protection Regulation (GDPR) burst onto the data privacy scene in May, many businesses are still scrambling to meet the law’s extensive requirements. But now, there’s another looming deadline for many businesses. In June, the California State Legislature passed its own set of privacy regulations named the California Consumer Privacy Act of 2018 (“CCPA”). The CCPA restarts the compliance countdown for many affected businesses still reeling from the GDPR transition. While the CCPA is still being finalized (a technical corrections amendment was recently passed on August 31, 2018), here are six lessons learned from the GDPR compliance struggle that can save your business time and money as you prepare for the CCPA.
1. Compliance will take longer than you think.
Despite the two-year gap between passage of the GDPR and the May 25, 2018 effective date, surveys indicated that only about half of the businesses affected by the GDPR achieved compliance by the deadline. For many small and medium-sized organizations without mature privacy programs, full GDPR compliance can easily take six to eight months to complete. For larger businesses, or businesses with a high volume, complex data processing, the process can take even longer. Even though certain provisions of the CCPA are not slated to take effect until January 1, 2020, companies should begin developing CCPA-compliant protocols sooner rather than later to reach compliance before the deadline to avoid potential fines and lawsuits that could have been otherwise avoided.
2. Getting started early saves money later.
In addition to avoiding costly fines and lawsuits associated with violations of data privacy regulations, businesses that developed an early, intentional compliance strategy for GDPR preparation often reduced their overall transition costs. For example, organizations that gave their compliance team and legal counsel enough time to plan and implement appropriate compliance steps were more likely to avoid unnecessary and inefficient efforts that resulted from a rushed changeover. In addition, strategically planning future ad campaigns, apps, and products to meet GDPR or CCPA compliance standards can help avoid the need to make expensive modifications to these investments in the future.
3. Don’t assume you’re off the hook.
Just because your business isn’t based in the EU doesn’t mean you are free from the GDPR, and likewise, just because your business isn’t physically located in California doesn’t mean you can ignore the CCPA. Many affected companies made the mistake of assuming they didn’t have to worry about the GDPR until it was too late to reach compliance by the deadline. However, both the CCPA and GDPR extend to companies that are based outside of the borders of California and the EU, respectively. Make sure to review and verify the status of your business under the regulations to ensure that you aren’t at risk for regulatory investigations and lawsuits.
4. Confusion and uncertainty are expected.
Both the GDPR and the CCPA represent wholesale changes in data privacy regulation. As a result, some uncertainty and confusion surrounding the interpretation and enforcement of these new regulations is to be expected. This ambiguity lead some businesses to take the risky “wait and see” approach to compliance, without fully understanding the risks they were taking, and without realizing that they could be punished in the future for the time period during which they were intentionally noncompliant. But smart businesses aren’t taking any chances. By making good-faith efforts at achieving compliance on time (and being able to demonstrate those efforts to a regulatory authority), businesses can greatly reduce the risk of fines or lawsuits, even if they end up missing the compliance deadline.
5. Data subject rights are here to stay.
The GDPR and the CCPA define specific data subject rights that all covered businesses must be prepared to enforce. While each set of regulations lays out different variations of data subject rights, there is an unmistakable trend toward elevated scrutiny and greater transparency when it comes allowing an individual a measure of control over their personal data. Even if your business may not be subject to these regulations now, integrating many of these requirements into your operation, including an individual’s rights to access, right to erasure, and right to withdraw consent, can give you a leg up should a broader, farther-reaching piece of legislation be passed in the future.
6. Significant fines and class action lawsuits await the noncompliant.
Large data privacy class action lawsuits have become a regular occurrence in today’s privacy-sensitive climate. Under the GDPR, individuals are given a number of private rights of action, including the right to bring a class action lawsuit. On the first day of the GDPR, for example, both Facebook and Google were hit with approximately $8.8 billion lawsuits. When the CCPA launches in 2020, enterprising class action attorneys are expected to lead a surge of consumer litigation under the CCPA’s private right of action. In addition to lawsuits, businesses will want to protect themselves from costly fines as well. While CCPA fines (up to $7,500 per violation) are initially smaller than GDPR fines, the CCPA also allows for statutory damages between $100 and $750 per consumer, per incident. Compliance violations also have the potential to quickly become PR nightmares for an organization, as public support continues to swell for stricter data protection laws, making effective compliance all the more important.
While none of these lessons offers a magic bullet that can ensure your organization will be compliant when the CCPA takes effect in 2020, learning from these lessons can help your business stay ahead of the compliance curve, and better prepare for a data-protected future. Moreover, taking a proactive approach to the coming wave of data privacy laws can pay financial, legal and PR dividends down the road.