By CM Strawn 1/28/20
The first few weeks into the new California Consumer Privacy Act (CCPA) has revealed issues and challenges. Compliance is difficult since there are many ambiguities and confusion over grey areas; like the definition of “sale” and “opt-out” – among others.
As of the first of the year, the office of the California Attorney General has not yet released a final CCPA draft. So, no one knows what the final law will look like.
The CCPA was signed into law in June 2018. Since then there has been a mad scramble to interpret and implement new privacy policies on time. As of January 1, 2020, around half of US firms are not yet compliant.
The cost of compliance to US business is around $55 billion to start. And over the next 10 years another $16 billion will be added. Entire departments have been created to cope with the CCPA.
It doesn’t stop there. Even companies from other countries doing business in California will be affected. So, it seems that the ubiquitous state of California is influencing commerce throughout the entire world, mimicking the General Data Protection Regulation (GDPR) enacted by Europe in May 2018.
Not to be outdone, the US Government also getting in on the act. Since other states are also proposing their own privacy laws, the Federal Government is exploring a uniform privacy law for the entire country – to reduce confusion.
The question is how much more will the privacy puddle be muddied with additional laws. The entire structure could collapse under its own weight.
Enforcement would be challenging because of ambiguities and vagaries produced by the bulk of bureaucratic verbosity.
Already, enforcement of the CCPA will not begin until July 2020, according to California Attorney General Xavier Becerra. Even then there will be only around two dozen agents to cover 40 million consumers. They estimate that there will be 2 to 3 cases prosecuted per year.
Compliance with the CCPA, as with the GDPR, is not an option.
A business may think it’s too small or that it will be overlooked by enforcers. But the risk of noncompliance is too great to be ignored.
Consider the penalties: For the CCPA, fines for accidental violations are $2500 per individual. For deliberate violations the fine is $7500 per individual. Under the GDPR, Art. 83(5), the fine framework can be up to 20 million euros, or in the case of an undertaking, up to 4% of their total global turnover of the preceding fiscal year, whichever is greater.
That kind of forfeiture will ruin a small business. And an established business can be severely damaged or destroyed. That doesn’t include the loss of brand and reputation, from which there may be no recovery.
These privacy laws are shifting sand. Facebook and Google, including their subsidiaries WhatsApp, Instagram and Android operating system, have made good faith efforts to comply with the GDPR. But on the first day of enforcement, they were hit with over $8 billion in violations.
It is obvious on its face that these mega corporations have been singled out to test the law. (Expect the CCPA to do something similar.)
Consider it a warning shot for anyone with an internet presence. All websites will be vulnerable as soon as governments establish what violations will be most easily prosecuted.
The advice of a good attorney specializing in CCPA will be helpful, if there is any question of compliance. (Duh) The vagaries of this new privacy law are many and varied. So, legal advice may help prevent violations and serious consequences.
Doing business online has gotten more complex and dangerous. To regulate the internet, government is attempting to exert control under the pretense of privacy protection. Entrepreneurs must be wary, not only of malevolent hackers, but also of ambiguous government regulations.