It’s 2020 – and that means the California Consumer Privacy Act (CCPA) is now law. The new data privacy law went into effect on January 1, with major consequences for both consumers and companies.
What the CCPA Requires
The CCPA gives consumers the right to know how their data is being used, to see what data is being collected on them and to tell companies to stop sharing their data.
In order to comply with the CCPA, some companies must provide a “Do Not Sell My Personal Information” button on their website. These companies must provide an easy way for consumers to request information on their personal data, to have their data deleted or to opt out of data sharing.
The CCPA is supposed to apply to consumers in California. This means that businesses with customers in California may have to comply – even if the businesses themselves aren’t based in California.
The CCPA doesn’t apply to all businesses, however. It applies to businesses that meet one of three criteria:
- They have an annual gross revenue of more than $25 million.
- They buy, sell or share personal information on at least 50,000 consumers, households or devices.
- They derive at least 50 percent of their annual revenue from selling the personal information of consumers.
The Cost of Compliance
Complying with the CCPA is no easy feat. Among other things, companies must modify their websites to disclose information on personal data use and to provide easy ways for people to opt out. Companies must also allocate resources to deal with requests from consumers regarding their personal data.
According to a report on the financial impact of the law, the expected cost of initial compliance is $55 billion.
Ready or Not
According to a Verge article published on December 31 – only one day before the CCPA went into effect – no one was ready for new law, including the state government. The article states that regulations for enforcement were still in the process of being finalized, and various questions had yet to receive clear answers.
While some businesses were probably scrambling to get ready, others were arguing that the law would not apply to them. According to CPO Magazine, Facebook has claimed that the law does not apply to it because the social media giant does not sell the data it collects directly. Before other companies get excited about this possible loophole, it’s important to note that the article also states that various experts have cast doubt of likelihood that this claim will succeed, and lawsuits seem likely to follow.