California capital building in  Sacramento
PHOTO: Wil Stewart

2020 marks the beginning of the first comprehensive data privacy legislation in the US, the California Consumer Privacy Act. (CCPA). In 2018, California legislators passed a new set of laws designed to implement regulations on how an organization collects, stores and sells the personal data of California residents.

The law went into effect on January 1, 2020. But the sad reality is most companies are not yet compliant with all the regulations that are part of this new law.

The new laws gives California residents the following rights:

  1. Businesses are required to disclose the personal data collected, sold or disclosed about a consumer for a business purpose. Businesses also must inform consumers the categories of personal data collected and the purpose for which their personal data will be used.
  2. Access to their personal data.
  3. Upon request, an organization is obligated to delete all personal data of the consumer. In the case that this data is shared with third-party vendors, the data held in those systems needs to be deleted as well.
  4. The ability to opt-out of the sale of their personal data. As part of this, businesses must include easy to use links to do so from their websites.
  5. An organization cannot discriminate against a consumer who exercises their CCPA rights.

Who Needs to Comply?

It is fairly simple to figure out whether you need to comply with CCPA or not. Any organization doing business in California that collects the personal information of Californians and meets one of the following guidelines are required to comply with CCPA:

  1. Any company that grosses $25 million in annual revenue.
  2. Any company that obtains personal information of at least 50,000 California residents, households and/or devices per year.
  3. Any company that has at least 50% of their annual revenue generated from selling California residents’ personal information.

Certain companies are exempted from compliance with the CCPA. This is because these companies are already covered by other regulations or acts:

  • Health providers and insurers that are already under HIPAA.
  • Financial companies covered by Gramm-Leach-Bliley.
  • Credit reporting agencies under the Fair Credit Reporting Act.

Related Article: Preparing for New Data Privacy Regulations? Learn From GDPR

Is CCPA a Challenge to Comply With?

Before the CCPA was drafted, the European Union’s General Data Protection Regulation (GDPR) was already in effect and big names like Facebook and Google faced billions of dollars in fines due to noncompliance. That being said, the adoption of the GDPR was considered to be a smooth process. The CCPA is said to be a bigger challenge as it is the first sweeping legislation in the US that will give consumers more control over how organizations use their personal data. This will affect the US as a whole and will prompt other states to come up with their own regulations — many of which are already in the works.

The co-head of Morgan Lewis’ privacy and cybersecurity practice, Mr. Reece Hirsh said, “If you thought the GDPR was bumpy, the CCPA is going to be a real roller coaster.”

California Attorney General Xavier Becerra said earlier this month, "Even though widespread enforcement of the CCPA isn’t likely until July, companies should not view the first six months of the year as a grace period. We’re going to try to help folks understand our interpretation of the law."

Related Article: Examining Where 8 US States Stand on Consumer Data Privacy Laws 

Manual Effort Alone Won't Keep You Compliant

Although the CCPA has not mentioned anything of the sort, it is becoming fairly apparent that organizations will have to automate their operations in order to comply with the CCPA. Data discovery, data linking and updating privacy policies, not to mention doing an internal assessment as well as assessing third parties, which will prove to be a mammoth task. It is virtually impossible for an enterprise to use traditional means in order to do all these tasks. If an enterprise decides to stick to traditional means, they could be seeing operational expenses of billions of dollars, not to mention the constant risk of human error, which can result in fines and class action lawsuits.

Related Article: Feeling the CCPA Heat?

Key Takeaways

The CCPA can be classed as the toughest privacy regulation in the US and can send companies into a frenzy in order to stay compliant. Any enterprise that aims to stay compliant with the CCPA needs to start revamping their operations now.

  • Almost every large business operating globally could potentially come under the scope of the CCPA.
  • 95% of businesses are not prepared for the CCPA.
  • Organizations need to keep track of their data and develop an efficient way to sort it.
  • Organizations need to understand privacy regulations and reflect the CCPA regulations into their internal policies.
  • Compliance with the CCPA can be deemed virtually impossible without the help of automation.

The CCPA is effective and organizations have another four months until the law is enforced. Only time will tell how it will impact companies around the globe.