Edward Johnson, PMP, CSM

Trusted Advisor

The California Consumer Privacy Wake-up Call

Edward Johnson, PMP®, CSM® November 25

The California Consumer Privacy Act (CCPA) was introduced as a bill January 3, 2018 and signed into law June 28, 2018. Of course, the before it was a bill it was a murmur in California beginning in 2017. I mention these dates as they will be important as you consider how the state will move forward.


The bill goes into effect January 1, 2020. Before we get into some of the details of the law, let’s look at the applicable timelines and how long it will take for litigations to begin. The law gives an applicable company 45 days to respond to a consumer’s request. They can request a 45-day extension. That makes the total response time to 90 days. If a company does not respond within that time, then they cost to them will be $7,500 per incident.


Far too many companies are treating this new law as something simple, that can be implemented in a short period of time. Depending on how much of your business is data driven, the CCPA can and, I suspect, will drastically change your operational model.


What businesses are affected? The CCPA applies to any business if one or more of the following are true:


  1. Has gross annual revenues in excess of $25 million
  2. Buys, receives, or sells the personal information of 50,000 or more consumers, households, or devices – this is going to make a lot of businesses choke
  3. Derives 50 percent or more of annual revenues from selling consumers’ personal information


This law is going to hit a lot more companies than not. Think about the types of companies that make their money from data. Financial services, insurance, technology, consumer marketing and political campaigns are just a few examples of businesses that will be radically impacted.


Take a look at those companies that take your information and give you quotes from other companies for things like insurance and credit cards. Every company in that ecosystem is affected by the new law.


Here are some key point companies should be thinking about:


  1. People have the right to know what personal information a business has collected about them over the preceding 12 months
  2. People have the right to know what categories of information you have about them
  3. People have the right to know what categories of sources were used to get that information
  4. People have the right to know what categories of information about them you sell
  5. People have the right to know what categories of 3rd parties to whom their information was sold


You do not have to dig to deeply to see California is saying businesses no longer have carte blanche to collect and use information without notice to the customer at or before they collect the information. Most companies do not have the mechanisms in place to properly respond to these consumer demands.


I fully expect California to pounce all over companies that are not compliant by the end of first quarter 2020. Given the lead time they gave companies before the law goes into effect, I think California is going to take a lot of businesses to task. Not to mention the possible class action lawsuits that can be brought against any one of these companies. These events would have an almost profound effect on public perception and legal liability.


Pay close attention to the first 6 words of each of those rights…strict attention. Then take a look at what actions people are allowed to take.


  1. People have the right to request a copy of their information (this is also affected by portability)
  2. People have the right to request a business delete their information
  3. People have the right to opt-out of businesses selling their information
  4. People have the right to not be discriminated against should they opt to use the new law


No matter what business your company is in, if you are driven by data in any significant way, your company MUST review this new law and engage experts to help your organization take the necessary steps to become compliant.


We are talking about a law that can have a billion-dollar impact on any business operating in California. The budgets for these businesses are about to explode and take money from other important projects. Companies should not think the CCPA is anything like GDPR or GLBA enough where they think those laws will make them exempt. There are huge differences between each of those laws.


This is another example of how regulations and compliance are reshaping how businesses do business. Indeed, a serious wake-up call.

© 2024, GigBlast (a service of Rebel Visions Corporation) All Rights Reserved.