SACRAMENTO – After months of debate, discussion and speculation, Golden State residents are about to see how the California Consumer Privacy Act (CCPA) will truly affect the business landscape in the state.
The CCPA, which was signed into law in 2018, amends Part 4 of Division 3 in the California Civil Code and goes into effect in January. In effect, it updates the code to provide more power and control to the consumer over their personal data. It does so by giving consumers “a right to request a business to disclose the categories and specific pieces of personal information that it collects about the consumer,” according to the law.
There are guardrails for the law currently put it in place for companies that do business in the state, such as applying to businesses that deal with the personal information of more than 50,000 consumers, devices or households.
Julie Griffiths of California Citizens Against Lawsuit Abuse says that the law, while providing a threshold for the businesses that must abide by it, may still end up having a residual effect on others.
"Because the California Consumer Privacy Act (CCPA) applies to businesses with $25 million or more in annual revenue, we don't expect many of our small business members to be impacted," Griffiths said. "However, we will be watching implementation of the CCPA closely. There have been numerous other pieces of legislation intended to target large enterprises, which have resulted in unintended consequences for California's small and micro businesses.”
In addition to providing consumers with more information on their personal data, it provides new methods of controlling that data. Those include “the right to request deletion of personal information” and “opt-out of the sale of personal information “
Critics of the law have targeted the description of “personal information” within it as being overly broad. The bill states that “...with reference to a broad list of characteristics and behaviors, personal and commercial, as well as inferences drawn from this information.” This includes biometric data, geolocation data, along with standard data sets link employment, education and personal identification.
“...We're concerned about the 50,000 person threshold for receiving information and how that will be interpreted," Griffiths said. "There are a number of small businesses with less than $25 million in annual revenue who experience 140 or more website visitors daily. It's unclear whether or not website traffic will cause a business to cross the CCPA compliance threshold."