California’s new privacy law will soon take effect, but are the state’s businesses prepared for its impact?
The California Consumer Privacy Act (CCPA) will officially become law on January 1, with enforcement commencing by July 1, 2020, and commercial enterprises doing business in the state should take note. The primary and most urgent concern at this point is compliance by 2020, Gino DiCaro, vice president of communications at the California Manufacturers and Technology Association, said in an email.
“Manufacturers will have to analyze the requirements, identify the impacts on processes, assign staff to work through the many changes, create project plans, and implement monitoring to ensure compliance,” DiCaro wrote. “California is at the forefront of consumer privacy, but the CCPA and its deadlines will make it very difficult to get compliant before penalties and private rights of actions are brought."
Forbes reports that companies doing business in California must adhere to the CCPA if they meet one or more of the following categories: their gross annual revenues exceed $25 million; they engage in the commerce of personal information of 50,000 or more households, consumers or devices; at least half of their yearly revenue is derived from the sale of consumers’ personal information.
A consumer’s privacy is a cornerstone of any manufacturer’s success, but the CCPA will create the consequential imposition of costs in terms of the legal, operational and business aspects of compliance, DiCaro said.
The privacy act's high cost to companies does present a financial burden but could possibly come with a silver lining, says Dominique Shelton-Leipzig, a partner at Perkins Cole, which specializes in tech privacy and data management.
”The CCPA represents a sea change in U.S. privacy law,” Shelton-Leipzig wrote in an email. “For most companies, it is a heavy lift as the Cal AG office recognized that it will cost businesses some $55 billion to comply. That said, I am a firm believer that privacy by design and data management handled properly can be a positive game-changer for companies. It allows them to build trust.”
The new law mandates that companies fully disclose all aspects of the collection of personal data, reports Corporate Compliance Insights. Kyla Christoffersen-Powell, president and CEO of the Civil Justice Association of California, says that the state’s businesses need certainty if expected to comply with the new law.
“The passage of the California Consumer Privacy Act is fraught with complexity and created a lot of uncertainty for businesses,” Christoffersen-Powell said in an email. “Despite efforts this year, the law and pending regulations are far from settled, leaving many open questions on how to comply.”
Microsoft has already announced it will employ the main principles of the CCPA throughout the country, stating in a recent blog post that it strongly supports the law and the expansion of privacy protections in the U.S. and calling privacy a fundamental human right.
“I was delighted to read Microsoft CPO Julie Brill’s recent blog post embracing the CCPA and extending application to its customers U.S.-wide,” Shelton-Leipzig said.
She added that it’s crucial for businesses to work with community groups, regulators and legislators and to be an active participant by imparting their valuable and practical collective voice to the discussion.
“It is important for business to work together with legislators, regulators and community groups to become an active participant and include their valuable and practical voices to the privacy discussions,” Shelton-Leipzig said. “This will be instrumental in bringing about livable solutions that maintain a free-to-consumer internet while respecting consumer’s choices on privacy.”