Skip to the content

The California Consumer Privacy Act (CCPA), signed into law June 2018 and effective January 1, 2020, will impact more than California consumers as the name suggests. The law, designed to protect consumer data in the internet age, ensures that California residents have the right to know and access what personal data a business has collected, to know if—and to whom—it is being sold or shared, to deny the sharing of the information, and to delete the personal information held by the business. The law also ensures that consumers will receive the same pricing and service from a business regardless of whether they exercise these rights. Moreover, business-to-business data will be subject to the law beginning January 2021. According to an economic impact assessment for the California Attorney General’s office, the law could cost companies up to $55 billion in compliance costs. Businesses and procurement departments across the country should begin preparing now to ensure that their operations are compliant.

How does the CCPA affect businesses outside California?

All for-profit businesses that operate in California and collect consumers’ personal information must comply with the CCPA if they meet at least one of the following criteria:

  • Has annual gross revenue in excess of $25 million
  • Buys, receives, or sells the personal information of 50,000 or more California consumers, households or devices
  • Derives 50% or more of annual revenue from selling consumers’ personal information

It doesn’t end there. The CCPA also applies to businesses that control or are controlled by an entity that meets the criteria if they share common branding. Moreover, businesses that operate a website in which California residents are able to provide their personal information are subject to the CCPA even if they lack a physical presence in the state.

With California’s population of nearly 40 million people (or about 12% of the total US population), very few businesses escape these thresholds. The result is a massive number of liable companies, many of which are unprepared for the looming regulation.

What does the CCPA require?

The CCPA imposes many new requirements on businesses subject to the law. With rare exceptions, the primary business obligations are as follows:

  • Businesses must notify consumers at or before data collection.
  • Businesses must create procedures for responding to consumer requests to know, delete and opt-out of data sharing, and these requests must be addressed within specific timeframes.
    • Businesses must, at a minimum, establish a toll-free phone number for submitting data requests.
  • Businesses must provide a link on the homepage of their website titled “Do Not Sell My Personal Information,” enabling consumers to opt-out of the sale of their personal information.

What happens if I don’t comply?

Noncompliance will get very expensive, very quickly. If businesses aren’t in compliance by January 1, California residents and the State Attorney General can sue any business that violates their rights under this law for damages of up to $750 per consumer per data breach. On top of legal costs, fines may be assessed for violations of the CCPA. Businesses are subject to a fine of up to $2,500 per unintentional violation, while intentional violations can reach $7,500 per incident. To avoid costly fees and litigation, impacted businesses should implement compliance measures as soon as possible.

How do I comply with the CCPA?

Fortunately for businesses, there are many resources to assist in adapting current policies and procedures to the new regulation.

  1. Web and Enterprise Content Management Systems
    Businesses should begin by assessing their current web and enterprise content management systems. The ideal solution will offer features that carefully track website user data and consent, as well as any third parties that the information is shared with. A management system that readily maintains thorough records in a central place will enable businesses to quickly respond to requests for information and deletion. If the current provider does not offer this functionality, businesses may benefit from switching suppliers sooner than later.

  2. Website Design Services
    Businesses will be required to update their online privacy policies and homepages to include a “Do Not Sell My Personal Information” link or tab. Website design services can assist in compliance.

  3. Risk Management and IT Consulting
    If the prospect of developing and managing a new data strategy in-house seems overwhelming, risk management and IT consultants can help. These providers can quickly get businesses up to speed and implement industry best practices to limit disruption and downtime. For large businesses or those with data spread out across many systems, partners or clients, working with a consultant may help to speed up the process and ensure that all regulatory boxes are checked.

What’s next?

All businesses, regardless of whether the CCPA impacts them, should assess their current data collection, sales and storage processes. While the CCPA is currently one of the most talked about data privacy shakeups, it isn’t the only legislation being debated and it won’t be the last. Multiple states have introduced similar laws, and federal legislation is often discussed in Congress. Businesses should proactively develop more advanced data storage and protection practices to get ahead of the curve.

By: Michelle Hovanetz

Sign up to our newsletter

Related Articles

ProcurementIQ Unveils Major Enhancements to Report Collection

You asked, we listened: New market intelligence tools and user-friendly report layout will deliver actionable insights faster than ever.

Back to Work Guide: The Office of the Future

Office operations have changed dramatically since the start of the pandemic and a sudden return to the old ways seems unlikely. To help businesses reimagine the work environment and support a changing office culture, we’ve put together some detailed guidelines.

Company Reports to the Rescue: Four Uses for Supplier Data in Procurement

Company-specific reports, also called supplier profiles or vendor assessments, contain valuable supplier information that supports vendor management and guides decision making.