Privacy has been and will continue to be a major focus for regulators around the world. With data breaches and incidents showing no signs of abating, businesses need to ensure that principles of privacy and the protection of personal data are embedded into company culture or risk facing the consequences.
The California Consumer Privacy Act (CCPA), which becomes effective on January 1, 2020, marks a shift in the US regulatory landscape for privacy. CCPA aims to provide Californians with the following rights:
1) To know what data is being collected about them;
2) To know if their personal information is being “sold,” as defined in CCPA, and to opt out of that sale if so;
3) To access the information collected about them by businesses; and
4) To equal treatment in the event they exercise their privacy rights.
This law will have a significant impact by any measure. An independent report prepared for the Attorney General in August 2019 estimated that firms may have to pay up to $55 billion in initial compliance costs. In order to help merchants better prepare for impending CCPA regulations and to better understand what it may mean for their businesses, I wanted to address the the top 5 questions I’ve heard most often.
1. Why is the CCPA a significant piece of legislation?
The economy of California is the largest in the United States with a gross state product of $3 trillion in 2018 – as a sovereign nation, California would rank as the world’s fifth largest economy. As a result, any companies doing business in California and nationwide will be impacted.
Its scope is also wide, which means that any significant business selling to California customers should assess CCPA’s applicability. The law also has wider ramifications across the United States: CCPA provides a template for other states to create analogous privacy legislation, and it may serve as the impetus for a federal privacy law.
Finally, the costs of noncompliance could be extremely high, ranging from California Attorney General enforcement and civil penalties, to private suits and class actions, to reputational harm and loss of customer trust.
2. Is this law similar to the EU’s General Data Protection Regulation (GDPR)? And if so, are there any lessons that could be applied to CCPA?
Some have referred to the CCPA as “GDPR lite” due to similarities between the regulations, but there are important differences and compliance requirements. For example, CCPA has a broader definition of personal data (including inferences and probabilistic identifiers), stricter notice requirements, different application of the “right to delete” concept, and an opt out for the “sale” of personal data.
As in any compliance initiative, context is key. For each arm of an organization, the questions posed by CCPA are the same. But the answers may be very different for data processing activities supporting marketing vs. finance vs. fraud and security. In particular, both CCPA and GDPR contain specific provisions acknowledging that privacy regulations may create vulnerabilities in a fraud prevention program if appropriate accommodations are not made. Accordingly, it is critical that privacy teams managing enterprise-wide compliance programs are sensitive to context-specific concerns around fraud and security.
3. As consumer awareness around personal data and privacy increases, do you think regulations like CCPA will help to build trust in online transactions?
Privacy and security need to be top of mind for any company collecting, processing, or using personal data. As consumer awareness grows, and as legislatures and regulators respond to the increased focus on this issue, businesses will need to adapt and respond as laws, consumer expectations, and enforcement practices change. The only effective way to prepare for this evolving landscape is to embed principles of privacy and security into all of a business’s operations. While this may involve up-front investment, it will pay off in the long term by securing customer trust.
4. What impact may this have for online merchants?
Clearly e-commerce and online merchants selling to California consumers will need to assess the impact of CCPA on their operations. If a merchant has conducted a GDPR compliance audit and implemented a compliance program, much of the infrastructure needed for CCPA compliance may already be in place.
5. What can merchants do to best prepare for CCPA?
Here are some practical first steps to address CCPA compliance for your business:
- Data Lifecycle Management: Create a data map and update data inventories
- Privacy by Design: Embed privacy and security at the earliest stage of product development
- Individual Rights: Implement a compliance program to enable the individual rights provided by CCPA
- Information Security: Ensure the security program is industry standard or better
- Data Processors: Review contracts with service providers and ensure accountability
- Training and Awareness: Update or implement training programs for CCPA-specific processes