CCPA is in effect – what you need to know before it’s enforced

The California Attorney General comes into play in the second half of 2020 – companies need to be prepared.
12 March 2020

The state of California made data privacy history. Source: Shutterstock

In the US, the state of California made history when it announced a bill (now Act)— the California Consumer Privacy Act (CCPA) — that would protect consumers’ data and award them certain rights when it comes to how it is collected and what it’s used for.

The bill was passed last year and came into effect at the start of this year. However, anticipating the challenges businesses will face with compliance, the California Attorney General (AG) decided to enforce it after another six months, starting from July 1, 2020.

Following the announcement of the CCPA, there has been pressure on other states as well as the federal government in the US to create similar laws at state and national levels.

Truth be told, the CCPA is a landmark privacy act because it holds companies to high standards similar to those by global peers, and puts the onus on businesses to really care about how consumer data is stored, governed, and used.

The rising demand and need for a data privacy act

We live in the information age where data is dubbed ‘the new oil’ and just a few kilobytes of data are worth kilos of gold in many instances.

This data is generated by companies — in banking, retail, hospitality, and so on — and is often collected without the consent or knowledge of the consumer.

Logically speaking, given the value of the data and the many ways we already know it to benefit companies, consumers should have a right to know what and when data is being collected and how it is being used (even if they don’t yet have a right to be rewarded for it).

With the help of social media activist groups and forums, consumers are lobbying for regulators to grant them these rights and protect them against the misuse and misappropriation of their data.

To add fuel to the fire, the Facebook/Cambridge Analytica scandal which isn’t history yet and the numerous data breaches at companies causing customer data to be stolen by hackers, have gotten regulators antsy.

As a result, lawmakers are keen to craft and implement laws to protect consumers’ data. The European Union pioneered the roll out of such a law when it enforced the General Data Protection Regulation (GDPR) back in May 2018 (after drafting it in 2016).

Similar laws were enacted by regulators in Southeast Asia as well — but like the EU, they were at the federal or national level.

In the US, however, these laws were slow to be drafted and it seems like state-level action is driving the initiative to protect consumer data. 

Although this approach might seem to make compliance a little challenging for companies operating in the ‘united’ states, the expectation is that it will set the bar high when all these laws are harmonized.

What companies really need to focus on

The CCPA is applicable to organizations doing business in the state if they: (1) have a gross annual revenue of more than US$25 million, derive more than 50 percent of their annual income from the sale of California consumer personal information, or buy, sell, or share the personal information of more than 50,000 California consumers annually.

Given the low revenue parameter and the low consumer number set in the CCPA, several organizations, especially consumer-facing retail businesses, will find themselves needing to comply.

Fortunately, what the law really requires from such businesses is also as simple as the criteria set to bring them into the pool of “responsible consumer data users” in the state.

According to the CCPA, businesses need to let consumers know when their personal data is being collected, offer consumers with the right to delete their data, and provide them with the option to opt-out from their information being sold to third parties.

Of the three requirements, the third, of course, has been met with criticism from activists demanding that the word ‘sold’ be replaced with ‘shared’ as organizations often form collaborations that benefit each other without actually transacting monetarily. 

This is true in the case of, say, telcos offering entertainment providers such as Netflix and Hulu with access to customer data in exchange for benefits accruing to them as part of an ‘ecosystem’.

The CCPA, in reality, is simple. Its requirements are clear-cut and easy to understand. Implementation, however, might mean that organizations change how they operate. Businesses that don’t want to be slapped with a fine need to think about accelerating their compliance plan now.