Frank Ready writes that businesses are turning to their legal counsel for help figuring what – if anything – they need to do to prepare for the California Consumer Protection Act before it goes into effect in January, but that’s complicated by ambiguities in the law itself.
The law is not yet set in stone. It was passed rather quickly, leaving many details to be worked out between enactment and enforcement. It has already been amended several times since then, and is likely to undergo more changes in the coming months.
Many businesses – including their in-house counsel – are unfamiliar with the law, and the scope of its application. Despite being a state law, it potentially applies to any company that does business with California residents.
The law introduces some ideas found in the EU’s GDPR but are new to the U.S., such as the “right to be forgotten”. Businesses will need to develop new procedures for the deletion of customer data upon request. The preparations that many businesses made for the GDPR will help, but won’t be enough for CCPA compliance.