This article originally appeared in Digital Content Next on May 3, 2019.
While the California Consumer Privacy Act (CCPA) is poised to present peace-of-mind for many, it could be crippling for any publisher that relies on their GDPR compliance framework. In light of recent updates to
CCPA , it’s clear that publishers must get on board or face some seriously damaging consequences in the form of not only revenue loss but also severe financial penalties.
The CCPA ripple effect
When CCPA first passed in June 2018, just one month after GDPR’s enforcement, people were quick to refer to it as “GDPR light.” This was an indication that the landmark law will have significant ramifications on how companies that meet the thresholds and do business with Californians will have to change how they operate. At its core, CCPA signals a shift in business models, in particular where data is a revenue stream. What “GDPR light” downplays, however, is how significant that shift truly is.
The very fact that such regulations were passed in the world’s 5th largest economy was a bold statement in itself. With California at the helm, it’s only a matter of time before the rest of the nation follows suit. Other states are not just going to sit back and have privacy issues impact their citizens after California has made the first move.
More legislation in the works
Already, several other states have already jumped on board with similar laws, some with pages pulled straight from CCPA. For example:
- North Dakota: A proposed bill would require companies to provide to consumers (upon request) with information about the types of personal data that companies collect and possess.
- New York: Two bills are on the docket: one addressing biometric privacy and another that would govern businesses’ collection and disclosure of personal information. Utah: A bill would require law enforcement to get a warrant from a judge to access electronic information.
- Washington: Legislation would allow consumers to ask companies for a copy of their personal data and to delete or correct inaccurate data. It would also regulate facial recognition technology.
- Texas: Two bills have been proposed that take more than a page, entire chapters in fact, from CCPA: TCPA and TPPA.
The results are clear: CCPA is about to shake the very foundation of how companies conduct business nationwide. Because of this, several federal regulations have also been proposed. And while it’s unlikely any of them will pass before CCPA is enforced on January 1, 2020, it’s vital to note that these things are currently being worked on behind the scenes. More importantly, since CCPA passed sooner than anyone expected, publishers should begin taking immediate action to align with the upcoming regulations. The groundswell of consumer privacy ballot initiatives is only growing stronger as consumers become more outraged with their lack of privacy rights in the digital landscape.
Proposed amendments
Every publisher, whether operating in California or not, needs to be fully vetted on the new law because it affects anyone who conducts business with California residents. It provides those residents with new rights to their information such as knowing what personal information is being collected, shared, and sold, and with whom.
Furthermore, it also allows them to access and delete, or decline the sale of their information while still receiving equal service and price from businesses. Meanwhile, publishers must inform their digital readers of what information is being collected and why. Publishers must also work to ensure that each vendor in their supply chain is operating within their contracted policies. Additionally, toll-free numbers, email, or websites must be provided to consumers so that they can easily request their information.
The latest on CCPA
Recent changes to CCPA include several notable items, but there are two amendments in particular that could affect businesses for years to come—SB-561 and AB-25. The first dramatically increases the legal risks of businesses that collect and keep information by allowing consumers to file suit for any alleged violation of their CCPA rights without any evidence of harm—even before the Attorney General publishes guidance. What’s more, if the amendment passes, businesses will no longer have the right to consult with the AG on such matters.
The second amendment deals with how the law defines “consumer information.” If passed, this amendment would exclude information collected by a business from a job applicant, employee, contractor, or agent. That’s a good thing, because without this change, consumer information will include business contact information and employee information, resulting in unintended consequences. Former employees will be able to request items from previous employer records, such as emails and other corporate documents that mention their name, including those that contain confidential corporate information and performance evaluations. They can also request emails to and from former contacts, enabling them to reach out to company clients and prospects.
Preparing for CCPA
At the end of the day, there’s no definitive answer on how CCPA evolves by the time it is enforced on January 1, 2020. Still, with less than a year to go, businesses need to take a risk management approach. They need to find out what information is collected and from whom, what information is shared and with whom, and how to secure that data. Operations, security, IT, and compliance teams will need to keep abreast of the regulations and their consequences for the organization. And in order to operationalize security and privacy, these teams will need to work together.
Those taking a wait-and-see approach should look no further than the average cost of GDPR compliance. It’s been noted that, after factoring in legal and other fees, the cost sits anywhere between $1M‐$10M. That number could quickly grow if a violation occurs, and the likelihood is high, given the increased right to personal information. To put it bluntly, waiting to see what happens next is not an option. Businesses of all sizes must act now to protect their bottom line or face the impending consequences.