Maybe you've seen the "don't sell my data" buttons popping up on websites lately. If you live in California, you may have noticed similar signs in retail stores. They are harbingers of businesses scrambling to comply with California's new data privacy law.
The California Consumer Privacy Act (CCPA) went into effect on Jan. 1, and already it's become a mad rush. The state will start enforcing the law on July 1, but there are no rules yet. And initial compliance costs could top $55 billion, according to an economic assessment compiled for California's attorney general by Berkeley Economic Advising and Research LLC (see "CCPA and Data Privacy Resources" below right).
The CCPA is a response to a litany of data privacy breaches and concerns over how Facebook, Google, and online marketers are compiling, using, and selling consumer data. In a recent
Pew Research Center study, 81% of respondents say they have no control over the personal data companies collect on them.
The CCPA is about giving consumers that control. Under the law, California residents have the right to:
- Know how organizations use their data.
- Request that their data be deleted.
- Opt out of having their data collected, shared, and sold.
"Americans should not have to give up their digital privacy to live and thrive in this digital age," California Attorney General Xavier Becerra said in October at
a press conference announcing draft regulations for the CCPA.
Doing Business With California Residents
The CCPA follows on the European Union's (EU's) General Data Privacy Regulation (GDPR), in effect since May 2018. Just as GDPR covers all EU residents, the CCPA applies to any organization that does business with California residents, even if the organization is located out of state. Organizations are subject to the law if they meet one of three conditions:
- Generate more than $25 million in annual revenue.
- Buy, sell, or share the personal information of 50,000 or more California consumers, households, or devices.
- Derive at least half of their revenue from selling consumers' personal information.
Although GDPR and the CCPA are similar, one area of difference is penalties. Under GDPR, regulators can fine organizations up to 4% of annual revenue for data privacy violations. With the CCPA, fines are $2,500 per nonintentional violation and $7,500 per intentional violation.
Because each person affected counts as a violation, those amounts can multiply quickly when hundreds of thousands of California residents' data may be involved. Further, the CCPA allows individuals to sue for damages if their data is disclosed.
Data Collectors Are Most at Risk
Organizations most likely to be impacted by the CCPA are those that collect and sell massive amounts of consumer data. At the top of that list are the big digital marketing and advertising companies.
Because consumers have to opt out of such collection under the CCPA, the law may not impact these companies' practices as much as they were by GDPR, according to Lauren Fisher, principal analyst at eMarketer in New York. That's because GDPR required consumers to opt in to data collection. "Marketers failing to uphold practices that make consumers feel comfortable with sharing data are likely to feel the effects," she explained in a
July 2019 eMarketer article.
But it's not just the big marketers. Any company with lots of data on consumers — big companies, internet companies, and online retailers especially — is at risk. And the more consumer records they have, the bigger the risk, says Chris Babel, CEO of San Francisco-based TrustArc, which provides data privacy compliance technology.
Babel says many large global companies have to comply with GDPR, so they've had a head start on compliance, despite the differences in the two laws. But many big companies with lots of consumer data weren't impacted by GDPR because they don't do business outside the U.S. Take utility companies with their huge customer bases, for example. "They don't have more risks, but they have less time," to prepare for CCPA compliance, Babel says.
Viewing Data From a Privacy Perspective
The CCPA "requires businesses to fundamentally understand their data on a different level than they've ever had to before," Babel says. Typically, businesses have looked at data from a security standpoint, he explains. Their focus is on the point where the data is collected, whether it's encrypted, and where it's stored.
Babel says organizations need to look at data from a privacy perspective that considers what the data includes, how it is used, and where it flows — both within and beyond the business. That's far more complicated.
For starters, different businesses store data in different ways. One company might have lots of data but store it in a single database. Another company could have fewer records but spread them across hundreds of databases, Babel explains.
The next concern is what happens when a consumer requests to see his or her data, or asks the business to delete or stop selling it. According to the draft rules, organizations have 45 days to comply with such requests. During that time, the business must validate that the person is who he or she claims to be, locate the person's data, and comply with the request.
But that's just the data that resides within the organization. Babel says the CCPA presents substantial vendor management consequences because organizations are responsible for all the data they sell or share with other businesses. That means an organization responding to a consumer request also must contact any other organization with which it shared or sold that information so they can comply, as well.
"When you start peeling that back, layer by layer, it gets more complicated than most companies think," Babel says.
The Drumbeat of Regulation
But peel back the layers they must, because the drumbeat for consumer privacy protection doesn't stop with California. A similar law went into effect in Nevada in October 2019. Ten other U.S. states are currently considering consumer data privacy laws, according to the International Association of Privacy Professionals.
California's law isn't finished rolling out yet. In addition to finalizing new rules — the public comments period ended in December — there are business-to-business and employee data aspects that take effect in January 2021.
And just because California's rules aren't final, it doesn't mean organizations are off the hook. Attorney General Becerra
told Reuters this month he will make an example of businesses that don't make efforts to comply, "to show that if you don't do it the right way, this is what is going to happen to you."