California’s new consumer privacy law, the CCPA, took effect on January 1, 2020. While enforcement didn’t kick in until July 1, a recent survey by PossibleNow, a consent solutions provider, found that only 25% of businesses expected to be fully prepared by the end of the six-month grace period.
The lack of preparedness mirrors what happened with the GDPR, a similar regulation in the EU. In the ramp-up to GDPR enforcement, businesses cited a lack of understanding about their own internal data processes and confusion about the law itself as major obstacles to compliance readiness.
As laws mature, enforcement actions (EAs) shed light on those concerns, but before enforcement starts, businesses often the data they need to fine-tune their compliance efforts. Businesses preparing for the CCPA, however, have one big advantage over their GDPR peers: They didn’t have to go first. The two laws are similar enough that first-wave EAs from the GDPR, which has been enforced since May 2018, can serve as a temporary substitute until CCPA enforcement patterns emerge.
To be certain you’re ready for the law’s onset, keep these five lessons in mind:
1. Neither size nor sector will protect you.
The first GDPR-related fine (for €400,000 or approximately $431,000) was issued in Portugal to a hospital near Lisbon for inappropriate data access controls. The next fine (€20,000 or approximately $21,560) was issued in Germany to a social media company for storing user passwords in plain text.
Other early fines included one in Italy targeting a data processor for lack of oversight, another in Poland citing a football association for improperly listing the personal information of referees on its website, and a €50 million (approximately $54 million) fine handed to Google by France’s data protection regulator for noncompliant data consent policies.
The early fines were issued to organizations in sectors across the economy, throughout the EU, and with targets ranging from single individuals all the way up to multinational corporations. Financial penalties ranged from a low of €1,4000 to a high of €50 million, given to an individual police officer and Google, respectively.