On January 1, 2020, the California Consumer Privacy Act (CCPA), which passed into law on June 28, 2018, took effect. Businesses had well over a year to prepare, and a good portion have at least made some steps, but some are still scrambling to become fully compliant because of the complications and expense involved.
Process
As an eMarketer article noted, you cannot expect 100% compliance right at the outset. It quoted Lauren Fisher, principal analyst at eMarketer: ”Like we saw with GDPR, CCPA compliance is a journey that most companies won’t be able to complete before the January 1, 2020, deadline.”
She added: “Even those who feel ready and say they’re compliant will likely have to make modifications and changes as the year progresses and the true nature of the regulation becomes clearer. Companies need to look at compliance as an ongoing process and not a static checklist.”
Complexity
Even larger companies with the resources to tackle the enormous expense and legal untangling involved in compliance are finding it a far from simple undertaking.
Reuters quoted a Walmart source that said the giant retailer is “working through a lot of ambiguities in the law, for example, the language around loyalty programs and if retail companies can offer them going forward.” Among the points of difficulty is pinpointing what counts as selling information.
Cost
Even estimating the cost of compliance is not simple. Reuters offered two widely different figures: the impact assessment prepared for the California Attorney General’s office that gave its wide range of $467 million to $16.5 billion over the next decade and the industry estimates that estimate the much higher figure of over $50 billion.
Trying to avoid the expense of compliance can also be costly, with penalties as high as $7500 for what’s viewed as an intentional violation.
Case in point
With the risk of fines looming, online sellers with customers in California can’t afford to ignore the new law and so have added dedicated sections regarding the rights of Californians. For example, scrolling to the bottom of the page on Target.com will bring up links with information on CCPA for California residents and another link to a form entitled Do Not Sell My Personal Information – California.
On the other hand
Interestingly, though, Amazon claims it does not need such notices. Reuters quoted what a company representative said in a statement: “We do not plan to put a ‘Do not sell’ button on our website because Amazon is not in the business of selling customers’ personal data, and it has never been.”
Likely that’s because Amazon keeps the data it collects to itself and manages marketing across websites accordingly. The great loophole of controlling everything.