140 Days Until the California Consumer Privacy Act Becomes Law – Why Aren't More Businesses Complying?
California, for better or for worse, has a reputation as being a trendsetter, and has taken the lead in the United States by passing the "California Consumer Privacy Act," or "CCPA." This massive law has been on the books since 2018, but hasn't taken effect yet. However, the timeframe for businesses to be in compliance is rapidly diminishing. Currently, there are less than five months for businesses to (a) familiarize themselves with what the law requires; (b) determine how and if they are affected by the law; and (c) determine how to be in compliance with the law's demands. Right now, Companies aren't making a rush to become CCPA compliant, but this is a mistake. Below are a few of the misconceptions, that businesses have, as well as the realities.
MISCONCEPTION 1: It doesn't apply to my company.
For many businesses, it will apply. The baseline of the CCPA is: (1) does the business do anything with California residents (including employees); (2) is it for-profit; and (3) it either has $25 million annual revenue, "sells" 50,000 pieces of personal information or receives 50% or more of its revenue from personal information.
It does not matter if the business is in Nevada, Arizona, Texas or Delaware. So long as there is some connection to Californian residents, exists to make a profit, and otherwise satisfies either the profit, volume, or revenue percentage requirements, it applies. On that note, even if a business does not sell personal information, it does not mean it does not "sell" personal information under the law, as it includes any exchange of personal information for valuable consideration, such as the exchange of consumer data between companies, or the sale of information to a University for study.
MISCONCEPTION 2: The Federal Government will stop it.
One of the main reasons we have the CCPA is because the Federal Government has not acted on this issue. Furthermore, there is a high likelihood that any Federal law will not be substantially different from the CCPA, keeping the core principles in place. It's also unlikely that such a law will take effect and be passed in the remaining five months before the CCPA begins enforcement. Companies must accept that ideals of transparency, choice, consent and reasonable security as they relate to consumers' personal information are here to stay.
MISCONCEPTION 3: California is still changing the law, so I should wait.
California is still in the process of fine-tuning the CCPA, but this is no reason to wait. Fixes to questions arising regarding the CCPA have come out piecemeal, and continued changes, including expansions are likely. For example, employees were previously not addressed specifically within the CCPA, but are being addressed in the planned AB 25, excluding employees from some of the CCPA's protections. Conversely, there have also been planned provisions to expand on the protections and enforcement mechanisms of the CCPA, including a broad and expansive private right of action to permit individuals to sue for technical violations of the statute, like having to wait too long for a response to the demand, even if no actual damage is suffered. Again, the foundational requirements of the CCPA will not change via amendment – so companies should act now.
MISCONCEPTION 4: It's too expensive.
Actually no. Many of the basic actions are not cost-prohibitive, and are actions a business would want to do anyways: (a) Employee training to avoid data breaches and how to respond to user requests; (b) data mapping to quickly find, access, and arrange protections for consumer data; and (c) ensuring you have reasonable cyber security. This can even be turned into a competitive advantage, as consumers increasingly value companies that share their interests, including their privacy.
A compliance mistake could be extraordinarily costly. Currently, a violation for statutory violations of the CCPA can carry a penalty between $2,500 to $7,500 per individual violation. Furthermore, there is a private right of action with statutory damages of $100 to $750 per individual violation that could quickly balloon to exceed $5 million at a minimum, and invites class action/lawsuits for a data breach.
While this is true of almost every legal risk, an ounce of prevention is worth a pound of cure. The penalties on the higher end of the spectrum are for willful violations, and attempts to comply with the law can act to curb potential risks
What Should I Do?
If you feel CCPA compliance is important to your business, and decide to prepare for the CCPA with us, our firm has created a 90-day CCPA compliance program where our team will collaborate with you to determine a scalable, practical, and reasonable way for you to meet your needs, without breaking the bank. Let us provide you a free initial consultation to see if our CCPA compliance program works for you.