‘Companies have their hair on fire’: California privacy law compliance is likely to be a last-minute scramble

The California privacy law is especially challenging for companies trying to comply with it because the law is a moving target. The California state legislature may still pass amendments to the law this year, and those amendments could force companies to undo or redo their early compliance efforts. Additionally, the law takes a broad definition of personal information. For example, it covers any information that identifies or “could be reasonably linked, directly or indirectly” to an individual or household, according to its text. The inclusion of “reasonably” can complicate companies’ abilities to determine whether they are or are not subject to the law, a determination that will ultimately be up to the California attorney general’s office, which is charged with enforcing the law and has only recently begun a series of public hearings to solicit feedback on clarifications that may be needed.

“You’re trying to fix the plane while it’s in the air and not crash. The takeoff has already happened. The law has passed,” said Jaffe.

The first issue is just less time: Companies had four years between when the GDPR was approved and when it was enacted to have meetings and hearings with regulators to understand how companies are expected to comply with the law. For the California privacy law, companies will have had just shy of 18 months between when it was approved in July 2018 and when it will take effect on January 1, 2020. That window is made tighter by the fact that there remain a lot of unanswered questions regarding how companies are expected to comply with the law and it is unclear when or even if clarifications will be made.

Many questions, few answers
Those questions may or may not be answered during the six public hearings that the California attorney general’s office began hosting throughout the state in January. The attorney general’s office is using these hearings to solicit feedback on the rules it is responsible for making that companies are meant to adhere to when abiding the law. Then there’s the further complication of the potential for amendments to be made to the law.

Industry organizations, including the ANA and the Interactive Advertising Bureau, continue to relay clarification and change requests to the state attorney general and legislators. The ANA’s svp of government relations Christopher Oswald attended a public hearing that the attorney general’s office held on January 14 in San Diego to request five clarifications, and the IAB’s evp of public policy Dave Grimaldi plans to attend the hearing that will be held in Los Angeles on January 25 to similarly provide feedback. The IAB also plans to schedule a “lobby day,” in February to meet with state legislators in Sacramento, said Grimaldi.

No time to wait
Given that much of the law remains in limbo, companies looking to comply should operate under the assumption that the law will not change, Jaffe said.

In late November, law firm Perkins Coie hosted a fireside chat in its San Francisco office with California special assistant attorney general Eleanor Blume to discuss the California privacy law. “It’s pretty clear that she was taking a position that companies should really get started in their thinking about the CCPA and that they should not be hanging back waiting for amendments before they get started with thinking through what this might mean for their business,” said Dominique Shelton Leipzig, partner at Perkins Coie and co-chair of its ad tech privacy and data management practice.

Early compliance steps
Legal experts such as Leipzig and industry organizations including the IAB have recommended that companies should get started by taking an inventory of the data that they collect from people, including their own employees. This is important because when the law takes effect on January 1, 2020, companies will be responsible for the data that they collected over the prior twelve months, meaning that companies will need to review the data they have collected since January 1, 2019.

Companies that have had to comply with the GDPR should have already done this data management work and are likely “70 to 80 percent of the way home on CCPA compliance,” said Greg Leighton, partner at law firm Neal Gerber and Eisenberg. For these companies, Leighton’s general advice is to “continue to take a wait-and-see approach until at least Q3 or Q4” when clarifications are likely to have been made.

Companies that did not need to comply with the GDPR but meet the California law’s requirements — at least $25 million in gross revenue or deals with the data of at least 50,000 people or devices for business purposes or makes at least half its money from selling people’s data — will need to do the data inventory to assess the data coming into their companies, how that information is processed and how it is stored.

“There’s no way to do a compliance program for CCPA without doing those basic activities first,” Leighton said.

Once that data management work is done, then companies can look at low-hanging fruit like revamping their privacy policies to reflect the law, such as its requirements for companies that sell people’s data to provide people with a way to opt out of that sale and to request that the company deletes that data.

Maybe by that time, there will be more clarity into how companies are meant to comply with the law. And if not, at least companies will have done enough to indicate to the attorney general’s office that they did not spend the lead up to the law taking effect by sitting on their hands. “It’s more that companies have their hair on fire rather than they’ve been sitting on their hands,” said Jaffe.