Like it or not, the California Consumer Privacy Act (CCPA) is now in effect. And worse may be coming.
An even tougher regulation — the California Privacy Rights Act (CPRA) will be on a ballot initiative in November. And chances are Californians will vote for it.
Among other things, the CPRA would set up a new state agency to enforce the law, and would build additional fences around personally sensitive data while strengthening the ability of consumers to have information deleted.
It also would expand employee rights, according to an advisory by David L. Cheng and Noah M. Woo of Ford & Harrison LLP, as published on Lexology.
But that law, if it comes, probably won’t be implemented until 2023. Until then, firms will have their hands full dealing with CCPA.
Moreover, “this is not a one-time event,” Voda says. “Call it the first taste, but a dozen other states have legislation in the pipeline.”
The danger is that there will be a “patchwork of regulations,” Voda continues. A comprehensive federal law would make it easier to comply — not that this will be happening soon, he notes.
What does the CCPA require? First, brands have to have “clear messaging and mechanisms” to allow consumers to opt out and be forgotten, Voda notes.
The rules regarding email do not seem onerous at first glance: Like Can-Spam, the CCPA requires that consumers be able to opt out. But that can be a complicated task.
“Brand are using email services provider and external vendor databases,” Voda says. “They have to make sure that the requests go to all email service providers and flow through to the vendors.
There is no requirement that consumers must opt in to email lists, but Voda notes that this is the best practice,
“There are guidelines,” he says. “Brands are doing the right thing — opt-in.
Voda’s Minneapolis-based firm helps brands measure their marketing performance in both digital and print channels without using personally identifiable information.
Who’s doing well at adhering to CCPA?
“Financial services firms tend to be upfront in compliance,” Voda says. “They have the staffing” to deal with it. Retail brands are less well-prepared.
Is the state suing companies?
“I haven’t seen anything in the last 24 hours,” Voda laughs.