California Attorney General Xavier Becerra has just published proposed regulations (.pdf) that will fill in many blanks and much of the practical detail for CCPA, which is set to take effect next year in California but will have nationwide impact. The regulations seek to clarify and provide guidance to businesses on how to comply with the law.
Consumer rights under CCPA. CCPA gives consumers a right to know what personal data is being collected about them. It gives them a right to request the information be deleted. It also allows them to opt-out of the sale of that data to third parties. And it protects them against discrimination by platforms and publishers because of the exercise of their CCPA rights. Becerra’s regulations address the practical implementation of these principles.
I previously wrote about CCPA’s potential impact being partly contingent on how easy it is for consumers to understand and exercise their rights in real time. If they’re confronted by a lot of confusing “manage cookies” options (like GDPR) most people will simply click “ok” to access the desired content. However, CCPA envisions a prominent “Do Not Sell My Personal Information” or “Do Not Sell My Info” link or button on websites.
Consumers would potentially opt-out if simple. Unlike GDPR, CCPA is an opt-out law that requires the consumer to affirmatively request their data not be sold or otherwise transferred to third parties. An obvious “Do Not Sell” link would make it much more likely that consumers would exercise these rights. A recent survey from BritePool and Annenberg Research found that roughly 87% of respondents would opt-out of having their data sold to third parties if given the opportunity.
The publication of the Becerra regulations was met with a cautious and critical statement about potential “unintended consequences” from the Interactive Advertising Bureau (IAB):
IAB is currently evaluating the proposed regulations and will provide detailed feedback to the Office of the Attorney General. However, we have initial concerns that further remedy of some of the unintended consequences of CCPA is still needed to help businesses meet their obligations and to empower Californians with more control over their information.
IAB cites billions in compliance costs as push back. The digital trade group has strongly lobbied against CCPA (though has embraced the idea of federal privacy regulation). In its public statement in response to the regulations, the IAB cited an independent economic analysis (.pdf) prepared for California, which says initial compliance costs could reach $55 billion for California companies. It does not address costs for companies outside California.
Companies with fewer than 20 employees are estimated to spend an average of $50,000 to comply, while companies with more than 500 employees would potentially spend up to $2 million. There would also be some ongoing costs. The report further estimates that up to three-fourths of California businesses will be required to comply.
CCPA applies to any business that qualifies under at least one of the following scenarios:
- Annual revenues over $25 million.
- Buys/sells/shares personal data of 50,000 or more consumers, homes or devices.
- Receives 50% or more of annual revenues from the sale of consumer data.
Interested parties may submit feedback and comments on the regulations to the California Attorney General’s office through December 6.
Why we should care. There’s obviously a great deal at stake in how CCPA is implemented, whether it inspires other states to pass similar laws (it already has) and what impact all this has on federal privacy legislation, which won’t take place until after the 2020 election if at all.
There’s a curious paradox surrounding CCPA. Some companies and interests are treating it like the sky is falling while others are simply ignoring it for now. However, a recent survey from Capgemini research found that GDPR compliance had delivered a number of strong benefits for compliant companies, from improved consumer trust and engagement to increased revenue growth. Overall the GDPR-compliant businesses said they were outperforming their non-compliant peers across a range of metrics.