Companies not Ready for California’s CCPA Privacy Act

Companies not ready for California CCPA privacy act

Companies in California are scrambling to comprehend and meet the extensive requirements of the new California Consumer Privacy Act or CCPA. That’s no surprise, as the same happened with Europe’s General Data Protection Regulation or GDPR in the months before it came into force. However, with the effective deadline of January 1st, 2020, just around the corner, time is running out for companies conducting business in California or possessing personal data on Californian residents. Even with a six-month grace period before any government investigations and enforcement actions begin, there is cause for some worry.

Data Regulation a Work in Progress

In the US, data regulation is still a work in progress. Since 2018, several states introduced and passed legislation that mirror some of the protections provided by the GDPR. Others, in particular the California and to a lesser extent Vermont laws, aim to offer a broader protection to consumers and go beyond data breach notification rules. Much like the GDPR, the comprehensive California Consumer Privacy Act gives users a host of new rights when it comes to controlling their data.

As of January 1, 2020, California residents will have the right to:

  • Know what personal data is being collected
  • Know whether their personal data is sold or disclosed and to whom
  • Say “No” to the sale of their personal data
  • Access their personal data
  • Request a business to delete any personal information
  • Not be discriminated against for exercising these rights

Another difference with existing privacy laws in most states, is that the CCPA will apply to all for-profit organizations (or entities that control or are controlled by such businesses) —regardless of their location— that conduct business in California and/or possess information on Californian residents.

Businesses must comply with CCPA requirements if they meets ANY of the following criteria:

  • Generate an annual gross revenue in excess of $25 million
  • Possess personal data of more than 50,000 consumers, households or devices
  • Earn more than half of their business’s annual revenue selling personal data

An estimated 500,000 US companies meet one or more of these requirements and thus will have to comply.

Monumental Shift in US Data Privacy Regulation

The CCPA marks a monumental shift in US data privacy regulation. At the moment, data regulation is still a patchwork of different rules and regulations across different states and sectors. For most consumers, it is impossible to follow what their rights are. On the other hand, many businesses struggle to comply and welcome more regulatory certainty. In September, 51 top CEOs from companies such as Amazon, IBM, Dell, SAP and JP Morgan Chase voiced their concerns in an open letter to Congress urging policy makers to pass comprehensive consumer data privacy laws.

In the upcoming months, no doubt, all eyes will be on California. Not only are many of the top tech companies based in Silicon Valley and Palo Alto, including Apple, Alphabet Inc. and Google. With a GDP of $3 trillion (2018), it is also the crown jewel in the economy of the United States, ahead of countries like India and the UK.

As of January 2020, California will also have the strictest privacy laws of the US, comparable to but also in some ways different from the GDPR. Much like the GDPR, the CCPA qualifies “online identifiers” such as your IP address as personal information, as well as device IDs. A key difference is that the CCPA also considers information that can be linked to “a household” and not necessarily one individual of that household. Surprisingly, it makes a distinction between personal data provided by a consumer (included) and personal data that was purchased or acquired through a third party (mostly excluded), while nonetheless offering an opt-out right for the sale of personal information.

CCPA Compliance Poses Significant Challenges

For most businesses, these privacy regulations require big changes to technology and processes. They need to understand what rules apply to them and figure out how to best manage their data. No surprise, the new CA privacy law will present a number of compliance challenges for organizations of all sizes, whether it’s in terms of the sale of personal information, data subject access rights, data security and security compliance or privacy policy requirements.

Unfortunately, most companies seem to lack a clear road map. Privacy technology firm Ethyca recently conducted a study to understand the different ways businesses are approaching privacy and compliance. The report shows that just 12% of the respondents believe they have achieved an adequate state of compliance or compliance readiness, meaning 88% are “not ready”. More than 70% have no engineering solution and rely on man-hours and retrofitted processes. Basic data-mapping is still the greatest concern for early-stage companies. Start-ups are least likely to have formalized data privacy resources and processes.

Just like we’ve seen in the Facebook-Cambridge Analytica data scandal, fines easily add up. Under the CCPA, all violators and non-compliant parties can be penalized with monetary fines if a breach occurs. From $750 per affected user in civil damages, to $2,500 for those lacking intent and $7,500 per violation if intentional.

IT communication specialist
Sandra has many years of experience in the IT and tech sector as a communication specialist. She's also been co-director of a company specializing in IT, editorial services and communications project management. For she follows relevant cybercrime and online privacy developments. She rigorously tests the quality of VPN services using's dedicated VPN testing protocol that has been finetuned and optimized over the years.