Nov 22, 2019
What will the California Consumer Protection Act (CCPA) going into effect on January 1st, 2020 mean for the digital privacy of United States citizens and the rest of the world?
Being born and raised in Germany gives me a unique perspective and appreciation for privacy. I’ve grown up with a strong expectation of privacy, complete with laws and protections designed to enforce it. After watching the General Data Protection Regulation (GDPR) take effect in Germany almost two years ago, I am noticing a lot of similarities with the CCPA that is about to take over on January 1st, 2020.
Originally passed in 2018, the CCPA is the strictest digital privacy act in the United States. Privacy advocates and the media have been counting down the days until the CCPA takes effect at the beginning of next year. Its main focus is on consumer rights and privacy protection for California citizens, with three broadly stated goals:
1. The right to know what information large corporations are collecting.
2. The right to tell a business not to sell or share private information.
3. The right to protection from a business mishandling private information.
State legislators have watched the strengths and weaknesses of the GDPR implementation in Europe, and have felt a strong desire to provide similar privacy protections for their citizens. In the current political climate, federal legislation on privacy issues seemed doubtful. California, with resident technical giants such as Google and Facebook, is the natural choice to lead the way in state law.
It’s likely that federal legislators will be watching the roll-out of the CCPA closely for possible future nationwide protections. In the meantime, most experts agree that the CCPA will have a nationwide and potentially global impact.
Even for corporations as large as AT&T and Google, it will be very difficult to implement different procedures for California citizens and the rest of the U.S. while remaining compliant. Although CCPA is the most significant, other states have already passed similar legislation. As more and more states follow suit, it will be harder and harder for companies to remain compliant. For this reason, most companies will likely be forced to provide similar protections to all U.S. citizens, and many are asking for federal legislation to make compliance more reasonable.
In contrast to the GDPR, the CCPA is specifically targeted against large corporations. It applies to any company that does business in the state of California, and meets one of the following criteria:
1. Annual revenue of more than $25 million
2. Annually sells personal information of 50,000 consumers.
3. Derives half of its annual revenue from selling consumer information.
After hearing this, smaller businesses may feel they are off the hook, but we strongly recommend thoroughly reviewing policies regarding privacy, data collection, and data retention regardless of size. The penalty for not complying can be as much as $2,500 per violation. For large scale offenses affecting thousands of consumers, this can add up quickly. Getting compliant will not be cheap either; a recent independent study estimated that the total initial cumulative cost for businesses in California to comply with the CCPA will be upwards of $55 billion.
Link to independent study (page 11): Visit
The details of the GDPR are still being worked out in the courts, and the same can be expected for the CCPA. The legal debates between large corporations and the state will likely further refine the CCPA. It will be interesting to follow the policy developments surrounding consumer privacy in 2020. In the meantime, with privacy in the forefront of the media and the minds of consumers, it’s a good idea to ensure compliance with the CCPA. If this all seems overwhelming, there are already tools, experts, and consulting businesses available to help you through this.
Official CCPA website: https://oag.ca.gov/privacy/ccpa