CCPA Is Now in Effect

The California Consumer Privacy Act (CCPA), a bill that enhances data protections for the roughly 40 million residents of California, officially took effect Jan. 1.

CCPA, which was signed into law in June 2018, gives state residents the right to know which personal data is being collected about them and whether that data is sold or disclosed and to whom. Consumers in the state can also refuse to allow businesses to sell their personal information or request that such data be deleted.

The CCPA applies to all businesses, including nonprofits, that collect consumers’ personal data, do business in California, and satisfy at least one of the following thresholds:

• have annual gross revenue of more than $25 million;
• collect personal information from 50,000 or more consumers, households, or devices; or
• earn more than half of their annual revenue from selling consumers’ personal information.

The law also requires businesses to give consumers access to their personal information upon request and to post a link on their websites allowing consumers to opt out of the sale of their personal information. Businesses that violate the law are subject to fines of up to $7,500 for each violation.

CCPA defines personal information as any information related to a particular consumer or household, including names, telephone numbers, addresses, email addresses, IP addresses, Social Security numbers or other government ID numbers, physical characteristics or descriptions, education, employment, employment history, financial information, medical information, and health insurance information.

The CCPA in many ways mirrors the General Data Protection Regulation (GDPR), which took effect across the 28 countries in the European Union in May 2018. Many have complained, though, that some European countries have been slow to enforce the GDPR, and they fear the same will happen with the CCPA.

“CCPA will be met with a false panic,” predicts Peter Reinhart, CEO and cofounder of data infrastructure provider Segment. “Most companies will do the bare minimum until the government starts enforcing it. That won’t happen for at least six months, and when it does, we’ll see a mad dash to become compliant, which will cause more problems as companies rush and make mistakes. This is the pattern we’ve seen with GDPR.”

Still, others expect CCPA to have a real impact on business processes. Tom Libretto, chief marketing officer at Pegasystems, for example, thinks companies will finally begin getting serious about transparency and data governance. “A wait-and-see approach to data transparency is no longer acceptable. This data regulation wave will continue to swell in 2020, putting big pressure on marketers to invest in systems to help them comply. Their overall business success could turn on their ability to meet these increasing data governance expectations,” he predicts.

Gregg Johnson, CEO of Invoca, a call tracking and analytics company, also sees big changes coming. “As we enter 2020, where CCPA will be in full force, compliance as a feature will be top of mind for all vendors and customers across all industries,” he says.

Still others see CCPA as just the starting point as other U.S. states look to adopt similar legislation to protect their residents.

Robert Cattanach, a partner at the law firm Dorsey & Whitney and an expert on CCPA and consumer data and privacy issues, expects to see “copycat CCPA initiatives” from other states gain steam in 2020.

“State and even local regulators in the United States are escalating their regimes, often with the thought of mirroring CCPA,” he says. “Depending on the legislative power of privacy proponents, we may even see more aggressive regulatory schemes, including in the advertising space.”