Does the California Consumer Privacy Act Affect Your Business?
January 2020 finds California’s digital companies struggling to conform to new business legislature. Online marketers feel befuddled and disoriented by the growing list of changes they need to make in their businesses to comply with the California Privacy Act (CCPA). Business owners feel a growing sense of unease as government officials keep piling up the list of regulations on how businesses can collect user information, roll out loyalty programs, and describe consumer request disclosure policies.
Digital companies need to figure out how to balance providing users with an optimal website experience without decreasing their opt-in rates. Businesses worry that they won’t be able to continue to grow their business and many feel anxious about the risk of collecting data that could jeopardize user trust.
Businesses Affected by CCPA
CCPA does not impact solopreneurs, small-size website business owners, bloggers, affiliate marketers, e-commerce store owners, and other emerging businesses online. It only affects companies making $25 million or higher in gross annual revenues, companies that have over 50,000 customers in their database, and those that make half their revenues from buying or selling customer data.
Surveys Reveal Diverse Reactions
Amy He, author of the article, “CCPA is Here, But Many Companies Are Not Compliant” reflects on several surveys to gauge how California companies are coping with CCPA compliance.
According to one survey, “Key Steps in Satisfying Your CCPA and Other Privacy Obligations,” conducted by Osterman Research, Inc. back in November 2019, 30% of respondents currently complied with CCPA, 18% of respondents said they would comply by the end of 2019, 27% of respondents are planning to comply after 2020, and 12% of respondents had no plans to comply at all.
Another survey, “Steps that US IT Security Decision-Makers Have Taken to Comply with Privacy Regulations,” conducted by Opinion Matters, focused on the 93% of companies that were taking steps to comply with privacy regulations like CCPA. This survey revealed that 58.8% of respondents had improved their use of existing security technologies, 55.8% of respondents had improved data handling practices, 55.2% of respondents had invested in new security technologies, 39.6% of respondents had organized staff education, and 29.2% of respondents had hired new security personnel.
Finally, a third survey, “Why Won’t US Businesses Be California Consumer Privacy Act (CCPA) Compliant By January 1, 2020” conducted by PossibleNow in August, reviews the attitude of companies disinclined to comply. This survey reported that 35% of respondents had improved their use of existing security technologies, 55.8% of respondents considered it too expensive to attain compliance, 32% of respondents were waiting to see how authorities would enforce compliance, 17% of respondents didn’t think their business large enough to face fines, 11% of respondents were unsure of requirements, and 5% of respondents did not think CCPA applied to their business.
Does the CCPA Mimic the GDPR?
The California Consumer Privacy Act (CCPA) of 2018, now with even more amendments in 2020, appears to echo the intentions of the European Union’s General Data Protection (GDPR) of 2016. The purpose of both is to guarantee that businesses do not exploit consumers for their personal data by setting regulations on how companies collect, use, and share consumer data whether they collect it online or offline. The GDPR did not mature and go into complete effect until May 25th, 2018, and the CCPA went into full effect on January 1, 2020.
Although there are similarities, such as both working to protect consumers and both taking a long time to go into full effect, there are also differences in scope and magnitude.
The GDPR is a colossal piece of legislature, one of the most comprehensive protection laws in the entire world. By comparison, the CCPA is a bold and significant attempt at legislative privacy, but it is not part of the federal privacy law of the United States.
However, what makes the CCPA significant is that it comes out of California, which has the fifth-largest economy in the world. This means that its provisions won’t just apply to California alone but will gradually influence the United States and the world.
Three significant differences between the CCPA and the GDPR is the scope of government application, the extent of the limitations on collection, and the rules about engagement.
How to Comply With CCPA?
It’s important to cover a few basic steps to comply with the CCPA if the government expects your business to comply.
To ensure compliance, your company has to take three essential steps: preparation, implementation, and maintenance.
Preparation comprises identifying and classifying all your data sources, finding where you’ve stored personal information, and deciding if it requires access permissions. Preparation also requires identifying archaic personal information data that could pose a security risk.
Implementation means analyzing relevant personal data, adjusting any necessary permissions, limiting access to this personal information to staff or third parties based on their job description, and creating software or policies to monitor threats to this personal data.
Maintenance involves routine reviews of data and permissions, staying alert to any emerging cyber threats and making adjustments to safeguard data against freshly minted data-stealing malware.
We recommend you consult with an attorney and/or professional security management teams certified to work with CCPA regulations to help ensure your compliance.
The information provided on this website does not, and is not intended to, constitute legal advice; instead, all information, content, and materials available on this site are for general informational purposes only. Information on this website may not constitute the most up-to-date legal or other information. This website contains links to other third-party websites. Such links are only for the convenience of the reader, user or browser; the Zesty.io and its members do not recommend or endorse the contents of the third-party sites.
Readers of this website should contact their attorney to obtain advice with respect to any particular legal matter. No reader, user, or browser of this site should act or refrain from acting on the basis of information on this site without first seeking legal advice from counsel in the relevant jurisdiction. Only your individual attorney can provide assurances that the information contained herein – and your interpretation of it – is applicable or appropriate to your particular situation. Use of, and access to, this website or any of the links or resources contained within the site do not create an attorney-client relationship between the reader, user, or browser and website authors, contributors, contributing law firms, or committee members and their respective employers.
The views expressed at, or through, this site are those of the individual authors writing in their individual capacities only – not those of their respective employers, Zesty.io, or committee/task force as a whole. All liability with respect to actions taken or not taken based on the contents of this site are hereby expressly disclaimed. The content on this posting is provided "as is;" no representations are made that the content is error-free.
By Randy Apuzzo
Randy has had a penchant for computer programming from an early age and started applying his skills to build business software in 2004. Randy's stack of skills range from programming, system architecture, business know-how, to typographic design; which lends to a truly customer-centric and business effective software design. He leads the Zesty.io team as CEO.