CCPA Updates: Dec 2019
As I’ve blogged about before, the California Consumer Privacy Act (CCPA) will significantly change the landscape for tech companies who do business with California residents.

As I’ve blogged about before, the California Consumer Privacy Act (CCPA) will significantly change the landscape for tech companies who do business with California residents.

Now that we are less than a month away from the CCPA’s implementation, more has become clear about what it means for small and mid-sized businesses.

However, there’s still quite a bit of uncertainty. In this update, I’ll explain some reasons for the uncertainty and summarize the must-do steps for startups.

The United States Consumer Data Privacy Act of 2019

Presently, the largest source of uncertainty about the CCPA is it being pre-empted or invalidated by a privacy law on the federal level. Both Democratic and GOP members of Congress have proposed various federal privacy acts. The latest GOP proposal, published December 5, would supersede the CCPA and thus invalidate many, if not all of its provisions.

If such a bill passes federally, the CCPA could be a very short-lived regulation. Sentant will keep a careful eye as these bills progress through the legislature.

Private Right of Action

One of the most significant changes to the CCPA has been an amendment to clarify the private right of action (AB 1355). Individuals may in limited circumstances pursue suits against tech companies for statutory damages if there has been a breach of an individual’s name along with their:

Notably, companies have 30 days to “cure” the breach and provide “an express written statement that the violations have been cured and that no further violations shall occur” to avoid liability for statutory damages under the CCPA. It remains unclear exactly what “cure” entails, and the recent regulations published by the Attorney General do not mention it.

This means if a breach doesn’t involve the above information, the company cannot be sued for money by consumers. Consumers can only seek injunctive or declarative relief, which is far less likely to be pursued.

Since many companies do not collect any of the above data, this is a key distinction.

Attorney General Publishes Draft Regulations

Much anticipated draft regulations of the CCPA from the California Attorney General were published in late November. These give detail on what is required from Privacy Policies, CCPA notices on websites and in-app, and handling CCPA requests.

However, it’s absent of clarification for many of the questions privacy experts have had (such as what cure means mentioned above); and expect further information to be published as time goes on.

Must Haves for Tech Startups

While this list is not exhaustive and will differ from company to company, major elements of CCPA compliance for startups boil down to:

If your business deals with vast amounts of consumer data or particularly sensitive data, it’s likely this list will grow a lot longer. The above list represents the minimum “must-haves” for companies in scope for CCPA compliance.

Sentant is continuing to monitor the CCPA’s development and communications from the Attorney General and will continue to publish updates as the CCPA comes into effect.