By CM Strawn 1/28/20

            The first few weeks into the new California Consumer Privacy Act (CCPA) has revealed issues and challenges. Compliance is difficult since there are many ambiguities and confusion over grey areas; like the definition of “sale” and “opt-out” – among others.

            As of the first of the year, the office of the California Attorney General has not yet released a final CCPA draft. So, no one knows what the final law will look like.

            The CCPA was signed into law in June 2018. Since then there has been a mad scramble to interpret and implement new privacy policies on time. As of January 1, 2020, around half of US firms are not yet compliant.

            The cost of compliance to US business is around $55 billion to start. And over the next 10 years another $16 billion will be added. Entire departments have been created to cope with the CCPA.

            Even though the law was written to, presumably, benefit California residents, its effect is rippling throughout the entire country. Since a California consumer can be someone not living in the state, companies are, rightly, implementing the CCPA into their nationwide privacy policy, just to be safe.

            It doesn’t stop there. Even companies from other countries doing business in California will be affected. So, it seems that the ubiquitous state of California is influencing commerce throughout the entire world, mimicking the General Data Protection Regulation (GDPR) enacted by Europe in May 2018.

            The California privacy law goes further than the GDPR by regulating biometric data like facial recognition and fingerprints (optical?). There are other differences between the GDPR and the CCPA which requires that both laws be accommodated in a privacy policy.

            Not to be outdone, the US Government also getting in on the act. Since other states are also proposing their own privacy laws, the Federal Government is exploring a uniform privacy law for the entire country – to reduce confusion.

            The question is how much more will the privacy puddle be muddied with additional laws. The entire structure could collapse under its own weight.

            Enforcement would be challenging because of ambiguities and vagaries produced by the bulk of bureaucratic verbosity.

            Already, enforcement of the CCPA will not begin until July 2020, according to California Attorney General Xavier Becerra. Even then there will be only around two dozen agents to cover 40 million consumers. They estimate that there will be 2 to 3 cases prosecuted per year.

            Compliance with the CCPA, as with the GDPR, is not an option.

            A business may think it’s too small or that it will be overlooked by enforcers. But the risk of noncompliance is too great to be ignored.

            Consider the penalties: For the CCPA, fines for accidental violations are $2500 per individual. For deliberate violations the fine is $7500 per individual. Under the GDPR, Art. 83(5), the fine framework can be up to 20 million euros, or in the case of an undertaking, up to 4% of their total global turnover of the preceding fiscal year, whichever is greater.

            That kind of forfeiture will ruin a small business. And an established business can be severely damaged or destroyed. That doesn’t include the loss of brand and reputation, from which there may be no recovery.

            These privacy laws are shifting sand. Facebook and Google, including their subsidiaries WhatsApp, Instagram and Android operating system, have made good faith efforts to comply with the GDPR. But on the first day of enforcement, they were hit with over $8 billion in violations.

            It is obvious on its face that these mega corporations have been singled out to test the law. (Expect the CCPA to do something similar.)

            Consider it a warning shot for anyone with an internet presence. All websites will be vulnerable as soon as governments establish what violations will be most easily prosecuted.

            There is an overabundance of websites specializing in privacy policy compliance. All one need do is Google CCPA compliance and over 42 million results will show up. Granted, not all are websites. Some are posts like this one. But that reflects the impact of this new law.

              The advice of a good attorney specializing in CCPA will be helpful, if there is any question of compliance. (Duh) The vagaries of this new privacy law are many and varied. So, legal advice may help prevent violations and serious consequences.

            Doing business online has gotten more complex and dangerous. To regulate the internet, government is attempting to exert control under the pretense of privacy protection. Entrepreneurs must be wary, not only of malevolent hackers, but also of ambiguous government regulations.