It’s called the California Consumer Privacy Act, but the CCPA will effectively be the US national data privacy standard for consumer business and brands when it takes effect on January 1, 2020. (Although enforcement by the California attorney general has been delayed until June 2020, individual and class-action law suits may begin immediately.) As of this writing, that’s precisely 12 weeks, or no more than 55 working days, allowing for the holidays. Given how many companies were radically unprepared for the GDPR given two years for preparation, this implies that lots of companies need to do lots of work lots of fast.
There are three interrelated and inescapable reasons why CCPA-compliant data practices will quickly become the standard across the US, even for companies that don’t do business in California:
- The massive California economy: California is the fifth largest economy in the world, after only the US, China, Japan, and Germany. (In 2018 it surpassed the UK, which has over 50% more residents.) It is the home of 40 million people, meaning that one in eight US residents lives in California. Few companies of any substance are going to ignore the California market, or walk away from it on account of the CCPA.
- The identification conundrum: Unlike the GDPR, which protects the personal data of anyone physically present in the EU, the CCPA applies to California residents – which is defined, in the first instance, as “every individual who is in the state for other than a temporary or transitory purpose.” That means that any business that intends to apply CCPA rights and protections only to California residents must have an accurate and reliable means of identifying them and sorting them out for special treatment. On the web, you might try using IP addresses – except a) that approach is defeated by the increasingly popular use of virtual private networks (VPNs) and privacy-based browsers such as Brave and b) the CCPA also protects California residents who are outside of the state on a “temporary or transitory” basis. Moreover, businesses would need to be able to identify California residents across every channel or interaction format. Short of asking every consumer if they are Californian – and counting on an accurate answer – the practical solution is to apply the CCPA requirements to all consumer interactions.
- The Californication of data practices: Even if you could devise a magical solution to the identification conundrum, it makes little business sense to create and maintain a separate and distinct data processing system – technologies, processes, and training – for California residents. (Let alone distinct systems for the dozens of countries, US states, and municipalities that have recently instituted news laws on personal data.) For the sake of efficiency, productivity, data security – and sanity — companies should operate from a privacy high ground – a single data privacy approach that meets or exceeds all applicable requirements. (Just as most automobile manufactures eventually built all cars for the US market to meet California’s more rigorous emission standards – hence, Californication.)
From a regulatory perspective, the CCPA is the proper template on which to build your data practices (combined with the GDPR, if you do business in Europe). But as I never tire of saying, the real touchstone for data privacy is consumers’ demands and expectations, not (only) regulatory requirements.
Contact TCA if you want to discuss an action plan for CCPA.