California Consumer Privacy Act Is Work in Progress, Says Attorney

In a recent piece on, Matthew Nelson, an attorney with DiscoverReady LLC, says the 2018 California Consumer Privacy Act (CCPA) is constantly evolving, evidenced by the September passing of Senate Bill 1121, which serves rather like an amendment to the CCPA.

Nelson says because of SB-1121, consumers bringing a private right of action no longer must notify the attorney general. Further, organizations no longer must disclose on their website or in their online privacy policy that a consumer has the right to delete personal information.

Importantly, SB-1121 also made the CCPA effective immediately, but it extended the compliance deadline, saying the attorney general cannot “bring an enforcement action until six months after publication of the final regulations issued pursuant to this section or July 1, 2020, whichever is sooner.”

The battle did not cease with SB-1121. Says Nelson: “Both industry and privacy advocates alike will likely seek additional amendments or at the very least, they will lobby hard to influence the regulations the attorney general is required to put in place to operationalize the CCPA. I’d say we are still in the 8th round of a 12-round battle, and we can expect more changes to the CCPA.”

In the meantime, organizations should expect to see some version of the CCPA enforced by mid-2020, Nelson says, and they should address their fundamental compliance challenges now.

“The fundamental challenges are the result of the explosive growth and mismanagement of company data over two decades,” he says. “Organizations simply don’t know how many company files include personal data, personally identifiable information, personal health information or other types of sensitive data or where all those files are located.”

To comply with the new privacy and security laws, organizations should establish a process to identify, secure, delete, or otherwise manage files containing sensitive data, Nelson asserts. “Most organizations don’t do this well because it requires a combination of skills, including legal analysis, establishing new standard operating procedures and policies and using technology. Only then can organizations identify consumer and employee information so that it can be properly managed.”