The California Consumer Privacy Act (CCPA) became law on January 1, 2020, and as was the case on the effective date of the General Data Protection Regulation (GDPR), the European Union's similarly sweeping privacy legislation, it is being met with a general panic.
How dare that deadline actually pass without our data practices magically being up to snuff? That CCPA's becoming law in the Golden State has been met with the corporate equivalent of blood-curdling screams was inevitable: Privacy has not received the respect and care it deserves.
The Law "There Oughta Be" Is Now in Place
The collecting, buying, and selling of customer data has long been the key driver of revenue on the internet. Some call it "the surveillance economy." Others call it a personal "property grab" perpetrated against consumers--after all, our data is one of our most valuable possessions. Still others call it business as usual.
Because the use of data is so widespread and far-flung, it makes sense that even the most minimal regulatory action around such activities would spark widespread disruption, and especially rules regulating data in the most populous state in the country. In the minds of many, as California goes so goes the nation.
That being the case, predictably, adoption and compliance seem to be lagging. The reason is probably not a shock: The business model works so well that the threats of punishment do not offer sufficient disincentive.
"I am finding that CCPA and its various requirements are not as widely implemented among large companies or companies with personal data at the center of their business model as one would expect," said Eduard Goodman, global privacy officer for CyberScout.
(Full disclosure: I founded CyberScout).
While the CCPA is a work in progress (as with all living law), here are some key points that businesses need to bear in mind.
What Is the CCPA?
In the broadest of strokes, the CCPA was enacted to protect consumer privacy and specifically give California residents the right:
To know what data is being collected about them.
To know when their data is sold or disclosed to a third party.
To decline the sale of their personal data.
To access their personal data.
To request deletion of their personal data.
To not face discrimination for exercising their privacy rights.
There's far more to the CCPA than that (the law itself is roughly 10,000 words long), but what matters here is that it specifically applies to any for-profit organization that does business in California, collects or processes personal information, and either has gross revenue over $25 million, access to the personal information of more than 50,000 people or households, or gets half or more of its income from selling consumers' personal information.
Companies that aren't in compliance face stiff penalties with even more imposing escalators.
Hurdles to CCPA Compliance
The way it's boiled here, the law may sound straightforward, but there's still a great deal of ambiguity.
Case in point: Amazon and Facebook, both of which have lengthy (and often somewhat shady) track records of collecting and compiling consumer data, have stated that they have no intention of complying with the law since they don't "sell" user data.
Few companies have the resources to either challenge the law in court or risk potentially massive fines, but if Amazon and Facebook's, shall we say, "interpretation" of the law is successful, it could pave the way for other companies to adopt a similar approach.
Here's the bully math. For companies intending to fully comply with the CCPA, the cost is not insignificant. A report from Berkeley Economic Advising and Research (BEAR) estimated that smaller and midsize companies would incur $50,000 to $100,000 in initial costs, and that 75 percent of businesses based in California would need to be in compliance. All told, the report concludes, the total cost for compliance roughly amounts to $55 billion, or 1.8 percent of California's GDP.
Another issue facing businesses is that the CCPA covers what it calls the "intended uses" of data, which opens up still more gray area.
"The requirements are less black and white and more about user consent. Understanding all of the potential uses of the personal data you have, knowing exactly whom you share data with, and many other considerations are infinitely more complicated than data security regulations require. A compliance mindset isn't enough. Organizations need to revisit their foundational philosophy around intended uses of data," said Goodman.
Still a Good Idea
While it may seem like I'm holding a proverbial flashlight under the chin of this long overdue statute, I am not. The CCPA is important. While it's not perfect, and compliance is significantly easier discussed than accomplished, the California legislation represents a much-needed first step to protect consumer privacy.
Regardless of the potential costs associated with compliance, the time for companies to get it done has come. Until Congress overcomes its inertia and passes privacy legislation at the federal level, we can expect many other states to follow suit with similar laws and regulations, and companies that aren't prepared now can expect a tidal wave of compliance issues as well as potential litigation, fines, and consumer backlash later.
The exploitation of our private information has been and remains a class action suit waiting to happen. The sooner companies get on board with regard to consumer-friendly solutions, the lesser the risk will be for them. As football coaches have said all over the country since time immemorial: "The time to get this right was yesterday."