Ready or Not, CCPA is Here and It Can Be Expensive for Those Who Are Unprepared

Image Credit:  Titima Ongkantong / Shutterstock.com

The California Consumer Privacy Act (CCPA), which has been in place since January 2020, is now being enforced. As of July 1, California Attorney General Xavier Becerra has promised strict enforcement from day one. California has become the first state in the Union to implement controls on companies’ consumer data handling practices. Modeled after the EU’s General Data Protection Regulation (GDPR), the CCPA impacts companies with annual gross revenues totaling $25 million or more, those that buy or sell customer data on more than 50,000 individuals, and those that make more than half of annual revenues from selling customer data. It is estimated that the regulation will impact 75 percent of California businesses.

The main purpose of the CCPA is to give Californians more control over personal information and give them the right to opt-out of having that data collected and sold. The CCPA is a state regulatory function, but that doesn’t mean its impact on an organization is limited to companies within California’s boundaries.

Like most new bureaucratic regulation roll-outs, last minute amendments and changes to regulations have resulted in half of the affected companies missing the deadline for compliance. Lauren Fisher, principal analyst at eMarketer says, “Even those who feel ready and say they’re compliant will likely have to make modifications and changes as the year progresses and the true nature of the regulation becomes clearer. Companies need to look at compliance as an ongoing process and not a static checklist.” A recent survey by TrustArc, a compliance and risk management vendor, reported that 29 percent of respondents reported that they have just started preparing for the CCPA. The survey found more than 20 percent of respondents saying that they either did not know or were unlikely to be compliant with the law by the July deadline and just 14 percent of respondents reported the completion of CCPA compliance.

Despite the coronavirus pandemic and a request by more than 60 business groups to push the enforcement date back to January 1, 2021, Attorney General Becerra is committed to a “ready or not here I come” approach to enforce the July 1 2020 deadline, and it does appear that he is a committed bureaucrat on a mission.

In filings in the Northern District of California, two sets of consumer plaintiffs allege that “Zoom collected and shared their data in violation of the CCPA, as well as California’s Unfair Competition Law (UCL) and Consumers Legal Remedies Act (CLRA)”. The UCL and CLRA pre-date the CCPA and permitted consumers to seek relief from a company’s harmful business practices. According to the allegations against Zoom, “the company sends third parties, without notice to the user, the device model, software, storage information, time zone, IP address and other unique identifiers for the purpose of targeted advertising.” Prior to the filing, Zoom publicly admitted to the data-sharing practice and released a new version of the app that eliminated it.

Failing to be proactive and getting ahead of fast-breaking, comprehensive and often punitive regulations can result in a huge financial penalty that can negatively impact a company for years to come. If you are looking to learn more about the implications of GDPR or CCPA for your organization, contact Junction Creative for more information at 678-686-1125.