Are You Ready For a CCPA Data Privacy Litigation “Gold Rush”?
Starting in July, the California Consumer Privacy Act enters the realm of enforcement. Will that quickly be followed by a land grab of litigation? And how can companies avoid getting swept up in it?
The CCPA has seen more than its fair share of modifications and amendments over time. One thing that’s stood rock-solid is that fact that the California A.G.’s office isn’t going to relent on enforcement, even with the disruptions imposed by COVID-19:
“Right now, we’re committed to enforcing the law upon finalizing the rules or July 1, whichever comes first. We’re all mindful of the new reality created by COVID-19 and the heightened value of protecting consumers’ privacy online that comes with it.”
The changes that have occurred to the CCPA, and the other regulations springing up or proposed in various regions, nations, and states, only underscore the shifting nature of the data privacy landscape. Efforts like those undertaken by the Uniform Law Commission are aimed at coherently unifying US data privacy laws, but it’s anyone’s guess as to when that comes to pass.
Five key facts about the new data privacy reality
In the meantime? The arrival of CCPA enforcement makes data privacy compliance an urgent reality for hundreds of thousands of businesses that engage in commerce with Californians.
As is often pointed out, “regulation spawns litigation,” especially when any new law gives plaintiffs a right to pursue damages against companies that have violated the law. The CCPA will be no different, as there may be a veritable new California gold rush as aggressive litigators launch lawsuits. Some haven’t bothered to wait for enforcement to begin.
There are five key facts that corporate legal departments and risk and compliance teams are now forced to embrace about this situation – and use to guide their actions as we cross into this unexplored new territory:
Be prepared for the shifts in store
The imposition of CCPA enforcement is a certainty, but the future advent of other data privacy regulations in other locales and sectors is just as certain. Even where stringent rules have already been put in place? There’s the possibility of new restrictions.
For instance, the backers of the CCPA are now proposing a California Privacy Rights Act (CPRA) that would strengthen consumer rights and increase business risk even further. So maintaining awareness of your obligations under present law and looking ahead to potential amendments or new legislation is essential.
To meet whatever other changes lie ahead, businesses must first admit that this is the new reality of business. Then they have to be willing to adopt the data governance frameworks and tools that give them the flexibility and agility they need to maintain compliance. Only then will they be able to contend with not just more regulation across more markets, but the fact these regulations are fluid, and subject to constant review and amendment.
The pandemic has heightened data privacy scrutiny
As we mentioned above, regulators by and large aren’t willing to take their feet off the accelerator when it comes to data privacy enforcement just because of a public health crisis of unprecedented proportions. Rather, there are new calls almost daily for more data privacy rules that have grown out of the pandemic.
A few months ago, how many everyday Americans used Zoom? But now there are multiplying lawsuits other legal threats stemming from the platform’s alleged unpreparedness to become a backbone of teleworking. Including, of course, a demand for new regulations on services like Zoom.
The use of technologies like AI to contain the virus has spawned concerns about data privacy, as well as how data is being handled in other healthcare areas. There are already federal bills being pitched to limit data disclosures to government, among other proposed protections.
Operational processes are now creating risk
The business processes that are fundamental to many organizations? For several reasons, they’re now a source of risk for those enterprises. Risk that regulators and private litigators will be all too happy to target.
First of all, there’s the simple fact that these processes may not have been revamped to be compliant with the CCPA or other data privacy regulations. Why would a company fail to do this? They may have an incomplete understanding of the regulations or the implications for their business, or simply haven’t devoted appropriate resources to becoming compliant – either because they didn’t see the need, lacked the means, or figured their existing systems and processes were “good enough” to skate by.
But the complexities of data privacy compliance can be a very deep, very dangerous pitfall for the unprepared. Especially since laws like the CCPA make a company liable for the data-handling mistakes of their partners and third parties, too. Deficient oversight, manual and paper-centric processes, and outdated data storage practices are a recipe for a regulatory smackdown.
In a situation like the COVID-19 pandemic, the dangers of poor data privacy processes only get magnified as employees work remotely. In doing their jobs, what PII are they accessing about customers and prospects? Who are they sharing it with? On what devices?
Making these processes compliant just demands a commitment to putting the right tools in place. Especially workflow automation for replacing outmoded and noncompliant processes with automated versions where CCPA compliance is built in from the start even for remote employees.
Early preparation mitigates those risks
Taking a proactive approach to CCPA or other data privacy compliance can prevent operational headaches, reputational damage, and bottom-line injury from penalties and litigation losses later on.
Some of the measures to take? Implementing a data governance framework is a vital first step, and determining what your objectives are for the use of data being a key consideration. Setting up this kind of a framework involves commitment and hard work from a broad range of stakeholders in any organization, but it’s mandatory – and the long-term results are worth it.
Then you need to identify what practices and processes may be problematic when it comes to data privacy risk. From there, it’s a matter of exploring and evaluating the solutions available for revamping those processes and giving yourself the necessary agility, responsiveness, transparency, and oversight necessary for effective compliance.
The plaintiffs and litigators loom
To look outside of data privacy for a moment, let’s examine a somewhat more established area in digital-related litigation. The number of lawsuits filed under Title III of the Americans with Disabilities Act (ADA) kept rising in 2019, breaking the prior year’s record by exceeding 3,000 new website accessibility cases. This is a lesson that shouldn’t be lost on companies confronting the CCPA: Again, almost any new regulation provides a fresh avenue for plaintiffs looking to hit a mother lode.
In fact, actions have already been filed against companies like Salesforce, Ring, and Clearview AI for alleged CCPA violations. And as we mentioned above, Zoom has seen three class-action lawsuits filed against it under CCPA since March 30.
In the Clearview AI filing, it’s alleged the company is also violating Illinois’ Biometric Information Privacy Act (BIPA), which has been a “steady source of litigation ever since” it went into effect in 2008, generating hundreds of cases. This might be a bellwether for a future under CCPA where cases proliferate frenetically. Consider, too, how the BIPA addresses a narrower spectrum of data privacy than the California law.
New complications from remote workforces
Another wrinkle? The sudden pivot to remote workforces has given rise to new risks. When employees are increasingly scattered but may still be accessing the personal data of customers, the dangers that this information may be mishandled increase. And as we’ve seen, regulators and litigators aren’t disposed to give a company a free pass, COVID-19 or not.
Some companies have already taken steps to integrate compliance with CCPA, GDPR, and other data privacy regulations into their operations. They’ve done it by revamping core processes with new solutions like workflow automation or tools for uncovering and warehousing the actual data their companies hold.
So it’s incumbent on any company affected by the CCPA to learn more about the various solutions on hand to overcome the risks posed by the CCPA. That’s a key first step in safeguarding itself against becoming a victim of this modern-day “gold rush.”
To find out more about how to navigate the legal and compliance complexities of a work-from-home environment, please check out this webinar.