January 1, 2020 is a landmark day for data privacy in the United States. It’s the day the biggest state in the union, indeed, the sixth biggest economy in the entire world, California, will enact its own piece of privacy-focused regulation, the California Consumer Privacy Act (or CCPA).
As the founder of a company that provides privacy compliance solutions for businesses of all shapes and sizes, I spend my time out on the front lines listening to a variety of C-level executives and their perspectives on the forthcoming CCPA. I’ve become concerned that many of them, particularly those who aren’t fluent in the privacy space, aren’t showing the looming challenge of CCPA compliance an “appropriate amount of fear”, to borrow a phrase from an old coach.
I know that many privacy practitioners face this same dilemma in their own workplaces. The CCPA is likely to be treated as nothing but a costly inconvenience by many of their colleagues. But what I try to illustrate to the skeptics I encounter – and it’s a tactic I recommend to readers facing this challenge – is that the world has changed. Anyone in business understands the importance of consumer trust. And in the eyes of the consumer, trust and data privacy now go hand in hand. It’s not just that companies will be penalized by the CCPA for doing this wrong. I believe they’ll be rewarded by consumers if they demonstrate a commitment to doing things right.
But workplace inertia is a powerful thing, and privacy skeptics are often ready with one of a few canned responses. These recurring myths I’ve heard voiced regarding CCPA implementation share a common thread of permitting a business to do less today and more tomorrow on the issue of privacy compliance. But many of them aren’t true, or are at best only partly true. I want to address some of the most pervasive in hopes that they’ll bolster readers’ cases when lobbying their colleagues to get serious about the CCPA. Because after going through this before with the GDPR, I feel secure in saying it will represent a significant challenge for many businesses.
First, the six month “grace period” from January to July 2020 does not actually mean that companies can wait until July to ensure they’re compliant. It does not apply to the private right of action that consumers can exercise (with a value of up to $750 per consumer per breach incident). And the California Attorney General will be able to prosecute retroactively for companies who were in violation during the first six months – it’s true that the AG is likely to skew lenient during this period, but there’s nothing to stop them from taking a hard line if they see a case of gross negligence. Anyone who tells you they “have until March” to figure out the CCPA is knowingly or unknowingly placing their business at significant risk.
Another source of CCPA-related resistance often revolves around the actual size of the task at hand. Even execs with a good handle on the vagaries of compliance planning can fall victim to a number of mistaken assumptions and suggest the job isn’t a big one. A common refrain I hear is “we just did this with the GDPR, so we don’t need to go back and do it all over again.”
This is often not true; it’s possible that a business, in preparing for GDPR, overspec’d so much that they unwittingly attained CCPA compliance. It’s much more likely that they did enough to scrape by GDPR, and, for example, dealt only with their European data. Most legacy businesses with a large footprint aren’t holding European and US customer data together. Even if they are, there are important aspects in which the CCPA is even more stringent than the GDPR – for example, regarding the Right to Equal Service and Prices. In short, the idea that a company can skimp on CCPA compliance processes since they did them for GDPR is only valid if that company has significantly overspec’d its GDPR effort. And that’s rare.
Lastly, there’s the dangerous argument that a given business isn’t large or visible enough to incur regulatory wrath – that if you’re not a FAANG company the risk of privacy non-compliance is theoretical rather than practical. A simple look at the GDPR numbers demonstrates this is false. Enforcement started slow but has picked up significantly in 2019, as regulatory authorities found their footing. A running tracker hosted by CMS Law currently shows 86 different entities have been fined under GDPR, ranging from the world’s biggest companies to small merchants to the mayor of a small Belgian town.
What’s more, the gross dollar amount of privacy-related fines has been rising by orders of magnitude. In 2009, the highest fine for a data-related transgression was $9.8 million. This year, excluding FAANG companies (Facebook’s FTC settlement of $5 billion is likely an, ahem, outlier) that value still rose to $230 million (in a landmark ruling against British Airways). The point is, whether one looks at frequency or magnitude, the idea that violating privacy law is “low risk” grows increasingly fantastical. And it’s not scaremongering to point this out to key stakeholders who are putting off preparing for the CCPA.
For many businesses, particularly those that aren’t digital-first, CCPA compliance is merely another regulatory headache that is to be dealt with using as little resource and effort as possible. I actually understand that point of view – if a company sells light bulbs, it’s a bit ridiculous to expect them to be privacy evangelists. But at the very least, I expect them to have a pragmatic picture of the costs and benefits that compliance represents so that they can make the best decision for their business. The myths discussed above are ones I’ve heard peddled repeatedly to minimize the stakes of the incoming CCPA. But companies who continue believing them may soon find out the hard way that the truth hurts.