California is imposing tough new rules on processing the data of anyone under the age of 18, with the potential to affect businesses that don't target younger consumers.
The California Consumer Privacy Act (CCPA) is here to stay, joining the ranks of the GDPR and healthcare privacy laws. Any doubts about the law's long-term prospects were put to rest in November 2020 when voters approved the California Privacy Rights Acts (CPRA), often called CCPA 2.0, which extended privacy rights of California residents even further. On top of this, a significant number of other states have passed their own data privacy legislation modeled on the CCPA and GDPR, and there is every reason to think that other states will eventually follow.
Many businesses have adopted a wait-and-see approach when it comes to the CCPA. Executives know that they need to develop a compliance strategy, but it is tempting to put the project off until next year when faced with the expense in both time and money. An examination of some of the costs of noncompliance, balanced against the investment required for compliance, should help companies decide what's right for them.
The potential costs of noncompliance are far-reaching and varied. They range from injunctions and fines to less tangible costs such as negative customer interactions.
CCPA enforcement actions by California state authorities is the most obvious risk faced by businesses that are not yet compliant. After the law went into effect on January 1, 2020, the California Attorney General's office gave businesses a six-month grace period to make the necessary changes to their data privacy practices. That grace period is over, and enforcement of the CCPA is ramping up. The California Privacy Protection Agency, a new office specifically tasked with enforcing personal data privacy rights under state law, is fully staffed and begins enforcement in July 2023. It's reasonable to expect that this agency's creation will result in a further increase in enforcement activity.
Since the CCPA enforcement date has passed, the California AG's office has sent out many cure notices to businesses thought to be in noncompliance. These businesses had 30 days to fix the problem or face civil fines of up to $2500 per violation. (Intentional violations, such as where a business has ignored previous warnings, carry a fine of up to $7500.) Makeup retailer Sephora was hit with a $1.2 million fine in 2022. Now, the state is no longer required to give businesses 30 days to fix violations; they can proceed directly to fines and injunctions.
Less tangible but equally real is the effect that CCPA compliance can have on consumer goodwill. Consumers' expectations regarding data privacy are changing rapidly. Not providing CCPA notices or links to opt out of data sharing can generate negative online interactions and even trigger a complaint to the California Privacy Protection Agency. On the other hand, when a company has a transparent data privacy program and an easy opt-out function, it builds consumer trust and positive feelings toward the business.
CCPA compliance can also significantly affect a business's online marketing capabilities. In order to honor consumer requests to opt out, advertising platforms like Facebook and Google are now turning off their retargeting technologies as applied to those individual consumers, effectively reclassifying themselves as service providers. If a business chooses not to offer the required privacy notices and opt-out links, the only way for that business to be CCPA compliant is to deactivate retargeting for all their consumers. Retargeting is a powerful marketing tool that leads to a 70% increase in customer conversions, but companies without a fully implemented CCPA strategy may have to abandon it altogether.
While CCPA compliance should be a priority for any business that falls under its requirements, many executives are left wondering what is the best way forward, especially with regard to cost. There are two primary paths to CCPA compliance: Legal/consultant services and software solutions.
Bringing in a law firm or consultant is the more traditional route for all sorts of regulatory compliance issues. The main benefit is the personalized attention these specialists can give to your company. They can dig deep into your current data collection, storage, and sharing practices, then design a custom-tailored solution just for your company. There are a few drawbacks to this approach, however.
First, as with a custom-tailored anything, it tends to be more expensive. Legal and consultant rates are costly, and the project may be more complex than you anticipated. Second, these types of bespoke solutions often take more time to implement. You may have a whole team of employees working with the consultants for weeks instead of performing their core duties. Lastly, and perhaps most crucially, data privacy laws are always changing. The CCPA has already gone through several rounds of regulatory changes, and CCPA 2.0 brings a broad array of new requirements. Every time CCPA regulations are updated, the consultants will have to return to analyze everything again and make the required adjustments.
For most companies, CCPA compliance software is the better option. You get the same level of data privacy expertise in a far more streamlined and cost-effective experience. Compliance efforts that may take weeks under a consultant can be finished in as little as a day with CCPA software. Support staff can still provide all the help needed to deploy the software and customize it to your business, but the process is much more straightforward and more automated. Your team can quickly get back to their real jobs instead of working on compliance issues. A software solution also has the benefit that it can be updated easily to reflect new changes in the law, significantly reducing opportunity costs and capital expenditures in the future.
Disclaimer: This content is provided for general informational purposes only and does not constitute legal or other professional advice. Without limiting the foregoing, the content may not reflect recent developments in the law, may not be complete, and may not be accurate or relevant in an applicable jurisdiction. This content is not a substitute for obtaining legal advice from a qualified licensed attorney in the applicable jurisdiction. The content is general in nature and may not pertain to specific circumstances, so it should not be used to act or refrain from acting based on it without first obtaining advice from professional counsel qualified in the applicable subject matter and jurisdictions.
Get monthly updates on the latest updates on policy & the shifting privacy landscape.
Dive into a world of knowledge, trends, and industry updates on the TrueVault blog.