Although we likely won’t see the effects of the CCPA (California Consumer Privacy Act) for another 6 months, here’s what you can expect. The act was put into place on January 1, 2020, to protect the data of Californians. While Europe’s GDPR really takes the cake for data regulation, the CCPA is a huge step for the US of A. Until now, the regulations around consumer data were weak resulting in numerous scandals, breaches, and hacks like the ones that Uber, Equifax, and Marriott have recently experienced.
California really killed it this year with their new year’s resolution. New year, no new data-breaches.
Who Does it affect?
Short answer: large, for-profit companies in CA, and Californians.
The CCPA applies to any for-profit entity doing business in CA that sells, collects, or shares California consumers’ personal data, and:
- Has annual gross revenues in excess of $25 million; or
- Has the personal information of 50,000 or more consumers, households, or devices; or
- Earns more than half of its annual revenue from selling consumers’ personal information
For consumers, it covers anyone residing in the state of California.
So, What Does The CCPA Do?
Real estate tycoon behind the CCPA ballot initiative, Alastair Mactaggart, calls the two significant changes for consumers, “the right to know”, and “the right to say no.” Companies have to unveil what they’re doing with the data and give residents the option to opt-out of having their data collected, sold, or shared along with deleting the data that they have already collected (if that’s what the consumer wants). Additionally, websites with third-party tracking are supposed to show a button saying something like, “Do Not Sell My Personal Information” giving consumers the opportunity to preemptively protect their privacy.
For the California companies who have been profiting off of the sale of consumer data, the CCPA is a big blow to revenue.
How Does It Work?
The obvious companies affected are the Googles and Facebooks of the world who directly meet the above criteria. However, if you do any industry reading online, you’re source is likely a corporation that may not directly profit from selling or sharing your data, but indirectly profits from the collection of it.
Best practices would have these corporations tracking your behavior—clicks, time on page, articles read, etc.—in order to customize their site for their target market. While this provides a better consumer experience (which is the only thing setting companies apart in 2020), a third-party is typically utilized to manage and dissect this information. Google AdSense and Google Analytics are receiving this data which brings us back to where we started. Google’s programs combine this type of data with other similar data and build out profiles for advertisers to target. Cue the Nordstrom ad that’s stalking you.
In this case, if you’re surfing the web from a California IP address, the company will have a “Do Not “Sell” My Private Information” button that you can click in place of a Nordstrom restraining order.
Despite the CCPA being effective January 1, 2020, companies won’t face any ridicule around compliance until July 1st. This gives California attorney general, Xavier Becerra, time to release the much anticipated final regulations around the law.
The law says that Californians can sue any company being negligent with data but every single case will fall to the attorney general’s office. As you can imagine, they’re already busy. They’ve said their office only has resources to bring a few cases per year.
Since this is the case, an internal case to get another initiative on the ballot this fall is taking place. They will be filing for the CCPA to have an independent agency focused solely on the privacy law to mandate compliance. We’ll see what happens with that in November.
Upside To The CCPA
While most of the companies impacted are dreading the process of becoming compliant, there are upsides to the CCPA that shouldn’t be overlooked. Consumer trust and experience is the only thing that sets companies apart. With the CCPA, all California companies who meet the requirements must be compliant—ensuring trust with consumers.
There are opportunities for big companies to gain trust and good faith by not just doing the bare minimum, like Microsoft. They’ve vowed to honor the CCPA regulations across the United States, not just in California. That snippet of information alone could make consumers choose PC over Mac. Trust is invaluable.
As we wait for July 1st to roll around, listen up for the back and forth on regulation. The California Attorney General has 6 months to essentially finalize more rules. What’s next? We wait to see who gets in trouble first.
For now, we’ll see everyone in incognito mode.