The compliance deadline for the California Consumer Privacy Act (“CCPA”) is January 1, 2020. Even though the CCPA is the first privacy law that will directly impact a large number of U.S. businesses, the best strategy for most U.S. businesses will be to take a measured response toward this new law.
GDPR Hysteria
The General Data Protection Regulation (“GDPR”) has been in effect for more than a year. And, without question, GDPR has impacted privacy law across the world as 59,000 data breaches were reported to the EU supervisory authorities which resulted in the assessment of about 90 penalties [1] since the May 25, 2018 compliance deadline. However, while GDPR has undoubtedly impacted many businesses, it has not become a daily concern for most businesses in the EU and almost no concern for the vast majority of U.S. businesses.
Before the compliance deadline, there was what can only be called “GDPR hysteria” [2] over how the world would look after GDPR. As the GDPR deadline loomed many experts and U.S. law firms grew hysterical and rushed to create GDPR practices. While an assessment of privacy safeguards and preparation is always recommended, the best advice at that time [3] was for American businesses to simply use GDPR as another opportunity to review their privacy safeguards rather than stress over compliance.
A Measured CCPA Response
Today, we are seeing a similar hysteria over the upcoming January 1, 2020, CCPA compliance deadline [2]. In the days leading up to the enactment of CCPA, we are seeing law firms and other experts set up practice groups dedicated to the onslaught of CCPA claims. And, once again, a measured response may be the best course when determining a game plan for compliance as not every U.S. business will be subject to the CCPA.
Before any business pays a law firm’s newly-minted CCPA practice group a large retainer, it may be worth looking at the fundamental principles of this new law. First, the impact of the CCPA may be limited to the extent the “businesses” subject to this law must collect consumers’ personal data, do business in California, and satisfy at least one of the following additional requirements to fit into the definition of “business” under the law:
- Annual gross revenues exceeding $25 million;
- Possess the personal information of 50,000 or more consumers, households, or devices; or
- Earn more than half of its annual revenue from selling consumers’ personal information.
These requirements will most likely narrow the scope of the CCPA to larger, national businesses.
Admittedly, if the CCPA applies, the stakes are high for compliance as a business that violates the CCPA can be prosecuted by the California Attorney General or be sued in a civil suit for damages ranging from $100 to $750 for each California resident (or actual damages if greater) involved in a breach. (Cal. Civ. Code § 1798.150) Therefore, any business subject to CCPA has reason to be concerned about this privacy law.
However, while it is reasonable to expect the CCPA to have a greater impact on U.S. businesses than GDPR, the CCPA may not apply to the vast majority of businesses. In many cases, the best place to start to determine if the CCPA should cause concern for a business falling into this gray area is to look at the California legislature’s stated intent behind the CCPA which includes:
- “…the bill would grant a consumer a right to request a business to disclose the categories and specific pieces of personal information that it collects about the consumer, the categories of sources from which that information is collected, the business purposes for collecting or selling the information, and the categories of 3rd parties with which the information is shared.”
- “The bill would require a business to make disclosures about the information and the purposes for which it is used.”
- “The bill would grant a consumer the right to request deletion of personal information and would require the business to delete upon receipt of a verified request, as specified.”
- “The bill would grant a consumer a right to request that a business that sells the consumer’s personal information, or discloses it for a business purpose, disclose the categories of information that it collects and categories of information and the identity of 3rd parties to which the information was sold or disclosed.”
- “The bill would require a business to provide this information in response to a verifiable consumer request.”
- “The bill would authorize a consumer to opt-out of the sale of personal information by a business and would prohibit the business from discriminating against the consumer for exercising this right, including by charging the consumer who opts out a different price or providing the consumer a different quality of goods or services, except if the difference is reasonably related to value provided by the consumer’s data.”
- “The bill would prohibit a business from selling the personal information of a consumer under 16 years of age, unless affirmatively authorized, as specified, to be referred to as the right to opt-in.”
- “The bill would prescribe requirements for receiving, processing, and satisfying these requests from consumers.”
CCPA compliance may not need to be an overriding concern for a smaller business that does not face any of the challenges outlined above. That is, if a business does not have many requests to destroy stored personal information, it may not need an elaborate process to field such requests. Of course, even if a business believes the CCPA does not apply to it, a measured response may still include taking steps toward compliance. First, businesses are always best served by protecting customer/client data that they have been entrusted with. Also, it is only a matter of time before almost every business will operate under state or federal privacy laws. Therefore, while it may be practical for all businesses to begin working toward CCPA compliance, there is no reason to be hysterical about this new privacy law.