The California Consumer Privacy Act (CCPA) is now in effect. Modeled after the EU’s General Data Protection Regulation (GDPR), California has become the first state in the Union to implement controls on companies’ consumer data handling practices. Like most new bureaucratic regulation roll-outs, last minute amendments and changes to regulations has resulted in half of the affected companies missing the deadline for compliance. “Like we saw with GDPR, CCPA compliance is a journey that most companies won’t be able to complete before the January 1, 2020, deadline,” said Lauren Fisher, principal analyst at eMarketer. “Even those who feel ready and say they’re compliant will likely have to make modifications and changes as the year progresses and the true nature of the regulation becomes clearer. Companies need to look at compliance as an ongoing process and not a static checklist.”
While CCPA compliance can be costly for companies, non-compliance can result in fines of $2,500 for each record of unintentional violation and $7,500 for each record of intentional violation. The prospect of such costs has many affected organizations questioning just how much personal data they need to maintain on consumers. The CCPA impacts companies with annual gross revenues totaling $25 million or more, those that buy or sell customer data on more than 50,000 individuals, and those that make more than half of their annual revenues from selling customer data. The main purpose of the CCPA is to give Californians more control over their personal information and give them the right to opt-out of having that data collected and sold.
Affected companies must disclose to consumers the type of information that has been collected and make that data available via mail or email when requested. Specific information on how and to whom personal information is sold and shared must be revealed, and data holders must permit individuals’ requests to opt out of data collection and sale. Individuals have the right to continue receiving goods and services from a company even if they opt out of sharing personal information. “Because CCPA is opt-out vs. opt-in, we’re not anticipating marketers’ databases will take as big of a hit,” Fisher said. “But so much of that is contingent on marketers and the customer experience they craft—and the expectations they set. Marketers failing to uphold practices that make consumers feel comfortable with sharing data are likely to feel the effects.”
The CCPA is a state regulatory function, but that doesn’t mean its impact on an organization is limited to companies within California’s boundaries. GDPR is a European regulation but applies to companies around the world. The Internet knows no state or national borders. Regardless of location, If a company meets the CCPA threshold for inclusion, they must provide California residents with the benefits of the regulation. Other states are looking to implement or have already put into place similar data rights legislation further complicating compliance.
Lothar Determann, partner at law firm Baker & McKenzie, said, “The law came out of just a few days of negotiations. It was not completely thought through, and I think it can come with unintended consequences.” Because of the haste to implement the CCPA, changes are expected to follow as the full impact on businesses and consumers are fully realized. Legislation tends to come as new technologies mature and reveal their impact on personal privacy and individual freedoms. Such legislation is often considered in the best interest of consumers but often require all concerned to choose between those rights and freedoms and convenience. Determann says, “All of us in California and elsewhere should carefully consider how much we value free services versus data regulation.”
If you are looking to learn more about the implications of GDPR or CCPA for your organization, contact Junction Creative for more information at 678-686-1125.