Data privacy: you deserve it. After all, it’s your personal information that’s on the line. That’s the fuss surrounding all these privacy laws, isn’t it?
Of course, it’s not. Otherwise, there would be no fuss.
Have you ever voted for or against something and really not understood what all the changes would entail? Have you ever thought to yourself, “Well duh, why would anyone not want that? Why is this even having to be voted on?”
Sure you have. We all have. Then, we learn. We grow; we get older; we get wiser. It’s part of life.
Lawmakers have a knack for correlating and grouping terms under one massive umbrella that makes the new law or tax or whatever the case may be, “sound pretty”.
Ok, we’ll go with the umbrella analogy here.
On the outside of the umbrella, you see the design: polka dots, stripes or whatever sprinkles your donut. What happens when you look underneath the umbrella? 9 times out of 10, it’s not nearly as “cute”. There’s all kinds of metal pieces and wires and what have you. But, when you think about the word “umbrella”, do you think about all the moving pieces underneath that are required to make the umbrella work, or do you simply think pretty designs and polka dots?
Right. This is why proper research has to be done before you can really understand what a new law brings to the table.
What is The California Consumer Privacy Act?
The California Consumer Privacy Act (CCPA), which was signed into effect in June 2018, is the first U.S. law following in the footsteps of GDPR. Companies both inside and outside of California will be affected by its requirements. The CCPA took effect upon the signing, but the requirements will not go into effect until January 2020.
The law applies to “for profit” businesses in California that collect and process the personal information of California residents and do business in the state of California. However, a physical presence in California is not required to be subject to this law. Simply making sales in the state of California would be sufficient. In order to fall under this new law, businesses must meet one of the following:
- Generate annual gross revenue of over 25 million
- Receive or share personal information of more than 50,000 California residents annually
- Derive at least 50% of its annual revenue by selling the personal information of California residents
CCPA: Personal Information
Similarly to the GDPR, the CCPA includes a broad definition of “personal information”. This is much broader than other privacy laws normally seen in the United States. Personal information, as defined under the CCPA is “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”
Sure, the definition of “personal information” could mean your social security number, drivers license number, etc. but as the definition stands, this could also mean purchase history, device identifiers and other online resource data used by marketers across the United States.
Significant Problems with the CCPA as it Stands
- CCPA Affects Businesses Who Never Got a Chance to Rebuttal
- CCPA Imposes Excessive Costs to Small Businesses
- CCPA Requires Businesses to Waste Money Complying With Vague Laws
- CCPA Overboard Definitions Overview
Most of the standing United States privacy laws are “sectoral-based”. Which basically means that they are optimized for meeting the needs of specific industries. Unlike the previous privacy laws, CCPA applies to almost every industry, with limited exceptions. Due to the CCPA’s hastened approval process, the California legislature chose not to hear from the thousands of various industries that will be affected by the CCPA.
You can’t just create a law, all willy-nilly, that will drastically affect several industries, but it seems as if that’s the plan for 2020.
As the CCPA will more than likely have to make constant updates to accommodate the various industries left out in the original act, much more research needs to be gathered.
Similarly to the oversight of various industries, it seems as if the CCPA unsuccessfully tried to exclude small businesses from the very general requirements. However, with the CCPA’s definition of “business”, as it stands, most small businesses will still be negatively affected. 50,000 may seem like a ton at first glance, but divide that number by 365 and you’re left with less than 150 customers per day. Now, take the ambiguity of the statement. This not only applies to customers but also to households or devices.
How many “devices” do you own?
This could easily embody a small business.
Because of the ambiguous definitions associated with this act, the CCPA will sweep in more businesses than originally intended.
“It’s a sign of things to come. More and more laws like GDPR will be coming in the future. And this increased regulatory compliance will begin to suffocate companies. And when companies suffocate, consumers suffer. Prices go up, jobs are lost and we could experience negative economic impact in those regions. There is a fine line between the right amount of protection and regulation and too much of it.” – Brent Chapman, RoundPoint Mortgage Servicing Corporation
Many small businesses will not have the funds to pay for the costs associated with this new law and will have to choose between not abiding by the law or dismissing their company from the market. Most small businesses have an interconnecting with either other small or larger companies, as well, in order to remain profitable.
According to a survey by TrustArc:
- Only 14% of responders said their businesses are CCPA compliant.
- 16% haven’t even started the compliance process.
- The remaining 72% are in various stages of the process.
- 50% of the companies surveyed were subject to CCPA and GDPR. The other 50% were only subject to CCPA.
Many California businesses were just recently forced to spend money on GDRP compliance. Because of the lack of thought and application, the differences between the CCPA and GDRP will impose another round of expenses to businesses who may just be getting over the hurdle of GDRP compliance.
What’s even more frustrating, is that if businesses were GDRP compliant, making even more changes will more than likely not dramatically affect the privacy of California consumers. The legislature could easily help business by making the two laws more harmonious with each other.
One important takeaway to note: because of the definition of “business” in the CCPA, entities that are “affiliates” by most legal standards, will be considered part of the same. What this means is that transfers within a corporate company may constitute a “sale” of personal information under the CCPA.
According to a recent study:
- More than 70% of responding businesses expect to spend more than $100,000 on CCPA-related compliance expenses this year!
- Nearly 20% plan to spend more than 1 million on CCPA-related compliance expenses this year.
- 72% said they will have to invest in additional technology and tools to prepare for CCPA
How do you think these companies will balance these newfound expenses? How will local marketing companies budget with these new expenses? Will they simply absorb them?
Definitions are the underlying foundation of a good law. The lack of clarity will ultimately be the demise of the CCPA if it isn’t altered. A few examples of this are:
- Consumer- extends to employees and B2B contracts
- Personal Information- applies to data that no consumer considers identifiable. Ambiguity in “publicly available information”
- Households- allows personal information to extend past one individual
- Sale- doesn’t clarify when data transfers are done for “value”
- Service Provider/Third Party- unclear boundaries
The CCPA has already been amended once, and will hopefully go through additional updates. However, as a small business, you should start your preparation now. Privacy notices, various procedures, and websites will need to be updated before the CCPA takes effect.