September 10, 2019
Beginning January 2020, the California Consumer Privacy Act (CCPA) will allow that state’s residents to find out exactly what personal data companies hold about them — and ask them to delete such information. Consumers will also have the option of opting out of allowing their personal information to be sold. The legislation — which was designed to make Amazon, Facebook, Google and others more transparent — will impact a wide range of companies, large and small, including airlines, banks, retailers and restaurants.
The Wall Street Journal reports that the law “applies to any for-profit business that does business in California and collects data on California residents, as long as its annual revenue tops $25 million, or it holds personal information on at least 50,000 consumers, or it generates at least 50 percent of its annual revenue from selling user data.”
According to the International Association of Privacy Professionals, that will impact “some 500,000 U.S. businesses across all sorts of industries,” such as Starbucks, Gap, Aetna, Wells Fargo and American Airlines — and including those with no physical presence in California.
“You have to find a way to capture all that information and track it so you know what’s happening with that information,” said Gap associate general counsel for privacy and data security Dan Koslofsky. “And that’s a pretty significant undertaking for most companies. Unless you’ve been in a regulated space like health care or financial services, you probably haven’t done that previously.”
WSJ notes that “few companies keep all their customer data in one place, and now many are scrambling to build tools to match up individuals’ data across disparate systems, such as directories, purchase histories and customer-service request logs.”
Some companies, such as Gap, already complied with the European Union’s General Data Protection Regulation (GDPR), which puts them ahead of the game. A survey by PricewaterhouseCoopers revealed that “only 52 percent of respondents said they expected their company to be CCPA-compliant by January 2020.”
By next summer, when the law is expected to be enforceable, “businesses that get a customer data request will have to comply within 45 days or risk pricey fines and possible civil litigation,” with damages as high as $7,500 for a data breach.
Since the work of creating a “separate protocol for California’s 39.6 million residents” is so onerous, many companies plan to apply the changes they make for California to the rest of the country, leading some to predict that California’s legislation will “become a kind of de facto national standard.” DLA Piper principal/attorney Rena Mears said, “99 percent of the businesses that we’re dealing with are choosing to make the law apply to all their U.S. customers.”
Many uncertainties remain including the disposition of retail loyalty programs, the use of credit cards and what will happen if large numbers of consumers opt out of data sales. WSJ states that “companies are gearing up for every conceivable scenario, including the possibility that identity thieves may pose as someone else to obtain their data.”