6 MIN READ
CCPA stands for the controversial California Consumer Privacy Act of 2018, the first in a surging wave of pending US consumer privacy laws. As of January 1, 2020, California consumers will have the right to review, delete, and opt-out of the personal data collection and sharing which has become such a hot commodity in 21st Century eCommerce.
While California consumers may applaud the increased control of their personal information, the implications for businesses in all 50 states and around the world have industry watchers calling the CCPA “a major economic sea change.” It’s not hard to imagine the burdens that a successful business will have to shoulder if every customer requests copies of all data collected about them in the past 12 months. And it could be quite tricky to prove that personal data has been tracked and deleted in its entirety once it’s been shared with third parties.
In a recent report at Bloomberg one Google spokesman summed up the situation when he said;
“The CCPA will impose new obligations on thousands of small and large businesses, and it is critical that its requirements are clearly defined.”
And that lack of clear definition is where the controversy begins. One critic has noted that the CCPA definition of “personal information” is so broad that it is easier to list “what isn’t considered personal information”. The online law firm sixfifty.com wrote an entire article on just what is considered “personal information” under the CCPA and they are quick to point out that “The CCPA definition of Personal Information is broad and, at times, difficult to puzzle out.”
Litigators and legislators continue to debate the vague legal definitions and flaws of the CCPA. For example, the term “consumer” under the CCPA is now defined as any resident of California, whether the individual has conducted any online transactions or not. Even the definition of “sell” is providing fodder for debate about data sharing practices by the legal eagles on both sides of the CCPA fence.
Businesses today are concerned that they’ll be accused of holding data they don’t have. Enforceability and accountability issues and a tricky “cure” clause in the CCPA have legal and industry experts alike in a state of confusion about just how the law, however noble its intentions, will be enforced this July 2020 when the six months “grace period” expires. There are also concerns that the California attorney general’s office simply doesn’t have the resources to handle claims against the incredibly wide range of businesses around the globe who transact with California consumers.
So how did we get to this point?
The sweeping CCPA legislation about to go into effect comes in the wake of notorious data breaches such as the Equifax scandal when the sensitive personal information of 143 million people was released to the dark side of the internet. Another infamous CCPA trigger was the Facebook Cambridge Analytica episode which allegedly used personal Facebook user information to sway elections with targeted political ads. Uber and Yahoo have also contributed to the demand for consumer privacy when they lost control in data breaches of 57 million and 3 billion accounts respectively.
Consumer outrage over the blatant abuse and mishandling of this sensitive data created momentum for California legislators that even the Silicon Valley tech giants Facebook and Google couldn’t stop. The fast-tracked CCPA bill set a speed record when it passed just one week after being proposed in 2018. By September of 2019, Big Tech’s lobbyists had failed to get exemptions for targeted advertising, and it’s now a near certainty that the CCPA will go into effect as is, flaws and all, on January 1, 2020.
Carrying a potential $7,500 penalty for each privacy violation, the CCPA is touted by its supporters as the first U.S. privacy law with real teeth, raising the bar for consumer privacy standards in a manner similar to the recently passed General Data Protection Regulation (GDPR). The GDPR already regulates businesses that collect, use, or share consumer data in the European Union.
While the scope of the CCPA isn’t quite as broad as the GDPR, the new statutory privacy rights guaranteed to California consumers will have a momentous impact on all US businesses, and in fact enterprises around the world. Leveraging its status as the 5th largest economy in the world, California legislators are confident that there aren’t many businesses willing to walk away from the 2.9 trillion dollar powerhouse which makes up a whopping 14% of the US economy.
For those conducting business in the EU and already familiar with the obligations of the GDPR, the transition to CCPA data handling should be relatively seamless. But for hopeful decision-makers who were betting on the Big Tech behemoths of Silicon Valley to block the California CCPA Law Rush, it’s time to face reality.
The CCPA is just the leading edge of the rising wave of new privacy laws now pending in 11 states. Even new privacy legislation at the federal level is likely to use similar CCPA language as a model for national privacy laws rather than overwriting it as Big Tech lobbyists had hoped.
Distinguished privacy attorney Jay Edelson characterized the controversy surrounding the CCPA and its impact on businesses when he told Fortune.com that:
"Our view is that this is a disaster of a law because it scares the bejesus out of businesses and costs them a ton of money in compliance.”
But, as we’ve seen, love it or hate it, the CCPA is here to stay and there are more new consumer privacy laws just like it on the way. The time to prepare for CCPA compliance is now if your business falls into any of the three categories specified by the law below:
If your company doesn’t fall into any of the categories above you’re off the CCPA hook. For everyone else, it’s time to roll up your sleeves and get to work.
While Facebook and Google face a serious CCPA shakeup of their business models, small businesses will need to focus on data management to compile, distribute, and delete consumer data on-demand. They’ll also need to address security concerns to ensure that requested personal information requests are authentic. And of course, it is most prudent to consult with insurance providers and your legal team to stay ahead of potential liability issues caused by CCPA violations which could result in payouts ranging between $100 and $750 to individual consumers if a company gets hacked or is careless with personal data.
The good news is that the data gurus at MarComm have the data scissors sharpened and ready to help your business cut through all the shiny new red tape generated by CCPA compliance. We’re standing by with an average of 13 years of senior-level data-driven business, communication, and marketing experience to help you navigate safely through the hazards that are coming with CCPA compliance, so don’t hesitate to contact MarComm today.