An estimated half-million businesses will be affected when the new California Consumer Privacy Act (CCPA) comes into effect on Jan. 1, 2021, the Financial Times reported on Thursday (Sept. 26).
Passed in 2018, the law dictates that consumers in California have the prerogative to access any and all personal data that a company has on them and request that it be deleted and not sold.
“Businesses have been waiting, waiting, waiting to see how these amendments come out, and this only really leaves a few weeks now [to prepare],” Rafi Azim-Khan, partner and head of the privacy team at Pillsbury Law, told the news outlet. “Whether they get everything done and everything right – that’s going to be an open question.”
The law was created to stop Big Tech companies like Facebook from collecting user data for targeted advertising. Businesses with annual gross revenues of $25 million or more are required to comply.
The final draft was just completed after numerous revisions and amendments. Now companies are scrambling to meet the requirements by the time the law takes effect.
“Once the new law takes effect, the California attorney general will overnight become one of the most powerful privacy regulators in the world,” Lindsey Tonsager, partner at global law firm Covington, told FT.
Even companies without a physical presence in California will have to follow the new mandate if doing business in the state or collecting data on California residents. Businesses are also affected if 50 percent of annual earnings come from consumer data sales.
“Companies that already had to apply to the EU GDPR are ahead of the curve,” Tonsager noted. “Smaller and medium businesses are having to spend [money] – millions of dollars in some cases – to comply.” These costs, she added, could end up being “indirectly passed through to consumers.”
Lobbying groups and trade associations representing tech giants such as Facebook and Apple have thrown their support toward legislation that could weaken California’s landmark privacy law.