CCPA: Thinking Beyond Compliance = Competitive Edge


Consumer data privacy protection is a global concern – driving new regulations around the world.  Many U.S. companies are multi-national, and have already begun work to increase security and transparency in meeting the requirements of GDPR.  In general, if a company is in compliance with GDPR (or are on their way in meeting those requirements), then that company is fairly far along in meeting the requirements of CCPA.

OUR TAKE:  From a business perspective, those companies that proactively invest to protect data privacy online, thus improving personal data protection, going beyond simply complying with new requirements, will themselves be viewed as trustworthy – building trust with consumers and other users.  This effort of thinking: ‘beyond compliance’, will help a company gain a competitive edge. (And oh by the way…demonstrate a sincere interest in protecting their clients’ personal data.)


FROM THE OFFICE OF CALIFORNIA ATTORNEY GENERAL, Xavier BacerraThe California Consumer Privacy Act (CCPA), enacted in 2018, creates new consumer rights relating to the access to, deletion of, and sharing of personal information that is collected by businesses. It also requires the Attorney General to solicit broad public participation and adopt regulations to further the CCPA’s purposes. The proposed regulations would establish procedures to facilitate consumers’ new rights under the CCPA and provide guidance to businesses for how to comply. The Attorney General cannot bring an enforcement action under the CCPA until July 1, 2020.


CALIFORNIA Starts the Ol’ Ball Rolling

With the fifth largest economy in the world, led by its science and technology sector, California has stepped out in front to lead on consumer personal data protections and rights for its residents.  That said, the passage and enactment of CCPA is not without concerns from both businesses and consumers.

Consumers v. Businesses?

Again, there are similarities between the GDPR and the CCPA.  From the consumer’s point-of-view, there is a set of common principles in both GDPR & CCPA regarding transparency, including an individual’s right to security of their information, and the right to access or request deletion of personal data. Businesses, in review of both laws, are understandably largely focused on the potential for substantial penalties for noncompliance.

In both GDPR and CCPA, the rights of consumers and the obligations of the businesses are different, but are certainly connected.  While review and interpretation could be viewed as, ‘the rights of consumers versus the obligations of businesses’, taking ‘competing’ viewpoints not only may ‘miss the point’, it might also skew decision-making.  A business should be clear-eyed when undertaking the obligations required by this law, even in an ‘evolving’ landscape of ‘things to come’….

Is CCPA a ‘done deal’?

The short answer is, NO.  As CISO ONLINE points out, “California’s new privacy law, AB 375, might not burden security as much as the GDPR, but details are subject to change.”  Ah yes…the ‘subject to change’ clause.

And as The Verge states directly, “Just like the GDPR, it’s not totally clear what it means to be compliant with the CCPA.”  Their article goes on, “…it doesn’t look like anyone, even the state of California itself, is totally ready. Draft regulations for enforcing the law are still being finalized at the state level, and questions about specific aspects of the most sweeping privacy regulation since the European Union’s General Data Protection Regulation (GDPR) are still not clear.”

So, what to do?

Legal advice is flying in the midst of companies working to, first catch-up to GDPR, and now examine the requirements of CCPA.  The advice is fairly basic, and includes:  Updating Privacy Policies, Creating Data Filing Processes for all Personal Information Collected, and Determining Management Hierarchy for Handling Consumer Request.

Easier for the Big Companies than the Little Guys?  Maybe.  And just which companies are impacted?

CCPA-Affected Businesses

A CCPA-Affected Business is defined as one that that collects consumers’ personal information, has more than $25 million in revenue, alone or in combination, and annually buys, receives for the business’s commercial purposes, sells or shares for commercial purposes, the personal information of 50,000 or more consumers, households or devices or derives 50% of its annual revenues from selling a consumer’s personal information. (“Consumer” – Cal. Civ. Code §1798.140)

NOTE:  A key fact to note is that the CCPA applies to any business that, “does business in the State of California”, NOT just businesses residing, or incorporated in California (!).

The U.S. Chamber of Commerce was visibly involved as the CCPA was being developed, and prior in consumer protection matters.  The Chamber has stated its support of a federal privacy law.  Prior to CCPA’s passage, the Chamber convened over 200 member companies and trade associations to create MODEL PRIVACY LEGISLATION based upon its own privacy principles.  The Chamber’s principles and model includes, “a nationwide privacy framework that protects privacy based upon risk to consumers, encourages transparency, and promotes innovation through collaboration between government and private stakeholders.”

The Chamber urged in its presentations, As (California) continue(s) to adopt regulations and the Legislature pursues further action in response to the California Consumer Privacy Act (“CCPA” or “Act”), the Chamber urges you to consider the principles espoused by (its) model legislation in order to develop greater certainty for both consumers and business.”

STILL – It’s Happening!  What to do?

Yes.  It is happening.  The CCPA is one of the most significant privacy regulations ever to come about in the United States.  And there continue to be concerns amidst the uncertainties in the law.  Simultaneously, there are a number of other states considering their versions of CCPA.  If a comprehensive federal privacy law is not created and passed in the near future – which is unlikely – businesses are potentially facing a ‘hodgepodge’ of state-written privacy regulations around the country.

Companies must prepare for growing and complex security regulations.

It is, therefore, critical to establish A FRAMEWORK with PROCESSES that are AGILE to meet the evolving landscape.

An agile framework that is INTEGRATED across all Platforms AND Business Units is the primary step to take in meeting all related activities; and it is certainly critical in working to meet compliance – particularly around new, and evolving laws.

A cross-functional team can create and provide assessments, policy setting and agile processes in meeting the legal and compliance demands of CCPA, and other laws as they emerge.

And What About that, “Competitive Edge”?

There is a challenge for businesses to not only understand the rights of consumers, but to translate those rights – and the related legal requirements – into their operations, while not hindering operations.  That challenge – as is true with most challenges – presents, AN OPPORTUNITY.

Translating the legal mumbo-jumbo in a manner that results in the creation of thoughtful and detailed operations, processes and practices, SUPPORTS the consumer.  Done ‘right’, it likely brings consumers and customers TO the business in recognition of your actions on their behalf.  (And it takes care of the requirements too, of course!)

Transparency is a must in today’s business environment.  Security – yours and the consumers – is critical.

An approach taken by companies that places trust and accountability at the forefront – for consumers, business partners and employees – builds trust.  Companies that think ‘beyond compliance’ will not only avoid penalties, they will likely avoid loss of business, and maybe even grow it…!

What to learn more about this topic or need more proof? Click here