If the California Consumer Privacy Act (CCPA) applies to your business, there is no question you should already be in compliance with the privacy law. Enforcement began in July 2020, and with the creation of the California Privacy Protection Agency (CPPA), the expectation is that enforcement activities will increase dramatically. Some businesses have held off on making the required changes, as they weigh the risks and costs of non-compliance. Others may not yet realize that the CCPA applies to their business.
But what about those businesses that are not (currently) required to comply with the CCPA? It’s tempting to just breathe a sigh of relief and go back to business as usual. The initial compliance effort can be a lot of work and smaller businesses are often worried that they don’t have the resources for it.
Despite this, there is a strong business case for becoming CCPA compliant even if the law doesn’t apply to your business. Here are the major reasons why.
Consumer expectations are evolving rapidly when it comes to data privacy. People are more aware than ever of how much personal information they share with businesses. They want to know how it’s being used and they want to have some amount of control over it. By putting data practices out in the open and giving consumers the opportunity to make privacy requests, which is the essence of CCPA compliance, businesses can build a great amount of trust and goodwill.
Of course, most people don’t actually read privacy notices or make deletion requests. They do, however, want to see some outward expression that a business is taking their privacy seriously. Certification of CCPA compliance is a perfect opportunity to do just that.
When the CCPA first went into effect, it was mostly the larger businesses that were ready to be compliant from day one. This wasn’t surprising to anyone; big companies have the compliance staff, web developers, and resources in general to quickly adapt. They are also much more likely to come under scrutiny from the California Attorney General. Medium-sized businesses mostly came along later as they realized compliance was not going to be optional, and as better compliance solutions came on the market.
Because of this, and because the subject of data privacy makes people think of giants like Facebook and Google, CCPA compliance is associated in the minds of consumers with large, established companies. With a relatively low investment cost, smaller businesses can use CCPA compliance to signal to consumers, especially B2B clientele, that they have a comparable level of organization and staying power.
Because of this, and because the subject of data privacy makes people think of giants like Facebook and Google, CCPA compliance is associated in the minds of consumers with large, established companies. With a relatively low investment cost, smaller businesses can use CCPA compliance to signal to consumers, especially B2B clientele, that they have a comparable level of organization and staying power.
In one form or another, compliance with data privacy laws like the CCPA will be the way of the future for businesses operating in most U.S. states, if not nationally. The European Union’s General Data Protection Regulation (GDPR) was passed in 2016, followed by the CCPA in 2018. Nevada has since passed its own lighter version of the CCPA, and in March 2021 Virginia signed the Consumer Data Privacy Act (CDPA) into law. Washington and New York have both introduced similar legislation and are expected to pass something in the near future.
All of this new legislation is based on the CCPA and the GDPR. If Congress decides to take up the data privacy issue and pass a federal law, there is a good chance it will be based on the CCPA. Perhaps in part for this reason, many large corporations, such as Microsoft and Samsung, have decided to extend CCPA consumer rights nationally and even globally.
For small businesses with an online presence, it’s a question of when, not if, one of these new privacy laws will apply to them. If they are already CCPA compliant, it will require much less effort to comply with a similar law from another state. Getting out ahead of those other laws will save a lot of work down the road.
Disclaimer: This content is provided for general informational purposes only and does not constitute legal or other professional advice. Without limiting the foregoing, the content may not reflect recent developments in the law, may not be complete, and may not be accurate or relevant in an applicable jurisdiction. This content is not a substitute for obtaining legal advice from a qualified licensed attorney in the applicable jurisdiction. The content is general in nature and may not pertain to specific circumstances, so it should not be used to act or refrain from acting based on it without first obtaining advice from professional counsel qualified in the applicable subject matter and jurisdictions.
Get monthly updates on the latest updates on policy & the shifting privacy landscape.
Dive into a world of knowledge, trends, and industry updates on the TrueVault blog.
