Are Organizations Ready for The California Consumer Privacy Act (CCPA)?

California Consumer Privacy Act (CCPA)

Why Organizations Aren’t Ready for the California Consumer Privacy Act (CCPA)

The California Consumer Privacy Act (CCPA) went into effect on January 1st, and many organizations haven’t started preparing to comply with the legislation. In fact, the state of California itself doesn’t appear to be ready to enforce the 10,000 words and 31-page piece of legislation. Draft regulations to provide guidelines for enforcing the law are still being debated and finalized at the state level. Many questions about various aspects of the most significant privacy regulation in the US in many years and the first globally since the European Union’s General Data Protection Regulation (GDPR) are still not clear.

Many organizations, compliance professionals and IT security staff have still been scrambling to deal with GDPR and all the requirements it placed on organizations when it took effect on May 25th, 2018. Eighteen months later, the CCPA promises even more daunting challenges according to many experts who have been working with organizations implementing the necessary changes and protections.

Ahmad Alomari, Principal Cyber Security Engineer at SecureOps has been working overtime to help clients identify PII, add security to databases that store the sensitive data, map systems, and most challenging, create systems for how organizations will deal with the requests from prospects and consumers that CCPA encourages. In Ahmad’s video, he suggests “it’s not just changing privacy terms or using technology to better protect customer data, there are significant changes that must be made to databases, CRM systems, and other systems and applications that organizations may not be aware of at this point in the legislation’s lifecycle.”

California Attorney General (AG) Xavier Becerra Will Not Enforce the CCPA Until July

That is the headline that many DPO’s, heads of IT security and professionals in charge of consumer privacy in their organization were reading last month and breathing a sigh of relief. However, Becerra’s office will enforce violations that occur starting Jan. 1! I added the exclamation point because if California’s AG finds violations in January or February or anytime prior to July he will prosecute those violations – he will simply wait until July to do so.

California Attorney General (AG) Xavier Becerra’s office will enforce violations that occur starting Jan. 1!

In response to the panic and tsunami of questions from small businesses, Becerra suggested that he will relax enforcement for smaller companies who make an actual effort to comply, yet he stated, “ignorance of the law is not an excuse.” He further said that those businesses that “stick their head in the sand” and ignore the new law should take be aware that they will likely be the subject of enforcement in the second half of 2020.

In a blog post, we wrote several months back named Four Data Protection and Privacy Laws You Must Know we discussed GDPR, China’s Cybersecurity Law, the Colorado Protections for Consumer Data Privacy law or HB 18-1128 and the California Consumer Privacy Act (CCPA) or AB-375. We also wrote a blog post named How the California Consumer Privacy Act (CCPA) Will Impact Business two months ago specifically describing how the Act would affect business and how businesses should prepare for the major components and sanctions of the legislation.

Let’s revisit them for just a moment before we go forward.

What Are the Key Components of the California Consumer Privacy Act (CCPA)?

  • Know what personal data is being collected about them.
  • Know whether their personal data is sold or disclosed and to whom.
  • Say no to the sale of personal data.
  • Access their personal data.
  • Request a business to delete any personal information about a consumer collected from that consumer. This is not the GDPR’s “right to be forgotten”
  • Not be discriminated against for exercising their privacy rights.

The CCPA is following in GDPR’s footsteps when it comes to levying fines for not following the stringent guidelines of the law. For example, the California Civil Code that defines one major sanction reads “civil class action lawsuits to pay statutory damages between $100 to $750 per California resident and incident, or actual damages, whichever is greater.”

What Exactly is the California Consumer Privacy Act (CCPA)?

Plainly, the California Consumer Privacy Act (CCPA) is a bill intended to enhance privacy rights and consumer protection for residents of California. The intention of CCPA is to provide California residents with the right to:

  • Request a business to delete any personal information about a consumer collected from that consumer. This is not the GDPR’s “right to be forgotten”
  • Know what personal data is being collected about them.
  • Know whether their personal data is sold or disclosed and to whom.
  • Say no to the sale of personal data.
  • Access their personal data.
  • Not be discriminated against for exercising their privacy rights.

Which Businesses are Affected by the California Consumer Privacy Act (CCPA)?

The CCPA applies to any business, including any for-profit entity that collects consumers’ personal data, which does business in California, and satisfies at least one of the following thresholds:

  • Has annual gross revenues in excess of $25 million
  • Possesses the personal information of 50,000 or more consumers, households, or devices; or
  • Earns more than half of its annual revenue from selling consumers’ personal information.

Organizations are required to “implement and maintain reasonable security procedures” and practices in protecting consumer data.

Facebook and others Refuse to Change Web Tracking Practices

In an article in the Wall Street Journal Facebook has told advertisers that it does not need to make changes as the social media company does not directly sell the data it collects about users. That article requires a subscription so allow me to provide the gist of the article in several sentences.

Facebook’s web-tracking system is called Pixel; the company positions the system as a business-to-business ad service. The way Pixel works is when Facebook users visit the site, it uses a single invisible pixel to deliver cookies to the end user’s browser. Those cookies track web user movement beyond Facebook, building a personal profile based on the sites you visit. Let’s put that in bold because it’s worth repeating.

When Facebook users visit the site, Pixel uses a single invisible pixel to deliver cookies to the end user’s browser. Those cookies track web user movement beyond Facebook, building a personal profile based on the sites you visit.

Facebook is currently suggesting that they are exempt from the CCPA because they are not directly selling the personal data they collect from consumers to businesses that market to the Facebook users and because the data itself is never visible to the organizations that leverage the data.

The organizations provide Facebook the demographics including age range, sex, location and so on and Facebook serves ads to that target prospect. Most legal and compliance experts are fairly certain that Facebook is in violation of the CCPA currently, however, as we suggested earlier, we won’t know until at least June or July.

If the company is found to be subject to the CCPA, it would face potential fines of $2,500 for each unintentional web tracking violation and $7,500 for each intentional violation.

Conclusion: Why Facebook and the CCPA Outcome is so Critical for Business

First, Microsoft announced several months ago that the company would comply with the CCPA in terms of web tracking and data collection in the US and since then quite a few other companies said they would comply as well. This will put pressure on organizations like Facebook to be more transparent about their data collection efforts and in all likelihood will be forced to allow users to block the collection of data through their privacy settings.

Second, 16 other states are creating legislation that looks quite a bit like the CCPA adding additional pressure and certainly fine and penalty risk to Facebook. Finally, Facebook is under intense scrutiny for the privacy issues with WhatsApp, Instagram and Cambridge Analytica.

Many are betting that the outcome of the Facebook decision by the California AG this summer will likely set a privacy precedent that organizations across the US will have to follow.

To Learn More About The CCPA and How to Comply with the Legislation Please Call Us – as Always We Are Happy to Help – 1 (888) 982-0678


Digital Marketing Specialist for IT/Cyber Security Organizations. Passionate about empowering organizations with content that will attract prospects and engage customers.