Dive Brief:
- Thirty-three trade associations, companies and organizations are asking the California Attorney General for a compliance extension for the California Consumer Privacy Act (CCPA) due to the novel coronavirus outbreak, according to the letter submitted to California Attorney General Xavier Becerra.
- While the organizations support the underlying cause for the CCPA, they need time to "absorb the shock to the system" the pandemic is having on industries. The organizations suggested enforcement should begin on Jan. 2, 2021 instead of the original July 1 deadline.
- "We are concerned that given current events and the presently unfinished status of the regulations implementing the CCPA, businesses will not have the operational capacity or time" to comply by July, the letter said.
Dive Insight:
As the U.S. workforce is largely remote due to coronavirus, data is in constant motion. Compliance meant to pass a one-time audit isn't sustainable. More than two-thirds of companies fear they can't sustain their compliance.
The key is tracking where data travels and how it accumulates. This year will be an overwhelming time for companies because data's security risk has never been higher.
With the CCPA, some companies had to put a privacy "muscle" in place for the first time last year. If an extension is granted, it's unknown how the AG "will treat any alleged infractions that took place before their enforcement regime goes into effect," Dan Jaffe, Group EVP, Government Relations, Association of National Advertisers, and one of the letter's contributors, told CIO Dive.
The CCPA went into effect on Jan. 1, but the rules are not yet finalized. The California AG is still revising the final regulation requirements. The office released its second draft of rules in February and held seven public forums. It received more than 300 comments.
On Jan. 1, companies "immediately faced legal jeopardy from private rights of action lawsuits for any data breaches covered under the CCPA," Jaffe said.
The rolling modifications of the rules is making compliance a moving target, according to Jaffe. In addition to uncertain regulations, the coronavirus pandemic released a "tidal wave of unexpected economic, logistical and staff bandwidth issues."
Encryption, access management and supply chain risk mitigation all factor into the technical side of data privacy. The only enforcement action guaranteed since Jan. 1 pertains to data breaches.