What you may have overlooked in the run-up to CCPA compliance

From how to handle web browser cookies to overlooked security requirements, here are four things to consider before the CCPA compliance date.

With just days to go before the California Consumer Privacy Act (CCPA) compliance date, some companies may be scrambling to get their data collection and management processes in order. Others, however, might be taking a wait-and-see approach before fulling investing into large-scale changes. Whatever an organization’s plan, there are certain things all covered entities should know about the far-reaching privacy law before January 2020.

Related: What California’s consumer privacy act means for employers

From how to handle web browser cookies to overlooked security requirements, here are four things to consider before the compliance date:

The CCPA is mostly ready

Those waiting to see how the “final” CCPA takes shape may be too late. Amendments to the CCPA that passed California legislature in September 2019 have been signed into law, and the state’s Attorney General released proposed CCPA regulations in October 2019. As of the end this year, the CCPA is ready for prime time.

“I would say 95 percent of the puzzle is [set] so companies should get on that 95% instead of waiting for that 5 percent to be finalized around the edges,” said Dominique Shelton Leipzig, chair of adtech privacy and cybersecurity group at Perkins Coie.

To be sure, the attorney general’s regulations are only proposed. But while the CCPA will evolve over time, Leipzig believes any changes will likely be minor. “I wouldn’t expect radical departures from what we see in the regulations already.”

Cookies are likely for sale

One of the unique mandates of the CCPA is allowing customers to opt out of having their data sold to third parties. While that may seem straightforward, it can get complicated when considering what exactly constitutes a sale. Take for example, “cookies,” which are lines of code that track a user’s web browsing and often used to create targeted online advertisements.

“I would think seriously about having a do not sell link if a company has third-party cookies on their site,” Leipzig said. “There are different points of view in terms of whether cookies constitute a sale, but I can say that my understanding is the Attorney General’s Office considers third-party cookies that go across multiple websites to be a sale under the statute.”

Of course, this view could change over time. “As we know the California Attorney General regulations are still proposed; they’re not finalized—and we won’t see a finalized version for some months,” said Mark Schreiber, partner at McDermott Will & Emery. But as for now, it might be better to safe than sorry.

Enforcement action is delayed, but not litigation

Those waiting to see how enforcement action will shape up under the CCPA will have to wait a while longer. While the compliance date for the regulation is Jan. 1, the date the state attorney general can start enforcing the CCPA is set to be no later than July 1.

But even without an active attorney general, there are likely to be plenty of CCPA battles before the summer. “With regard to the private right of action that exists under the statute, there is no delay to bring [those] actions,” Leipzig said.

And there are already signs that litigation may ramp up quickly. “We are already seeing that there are some 13 cases in California that have already been filed that expressly mention the CCPA, and there’s another 14 that lift language from the CCPA,” Leipzig added.

‘Reasonable’ security is required

The CCPA isn’t all about privacy. In fact, the regulation also mandates that covered entities maintain reasonable security procedures, something that does not get as much attention as the data handling requirements. “It certainly hasn’t been focused on and it ought it to be,” Schreiber said.

To  be sure, exactly what constitutes “reasonable” security isn’t clarified in the CCPA. Still, Schreiber said that there are hints in what the state expects given its past positions. “The California attorney general years ago in other pronouncements identified the 20 CIS [security] controls —which is this fairly intense and robust set of security standards—as being what California would look to. So that’s been out there for some years and those are fairly granular in terms of the different components that need to be looked at.”

Read more: