California Privacy Law: Its Impact on Businesses

Schellman's privacy practice leader and principal, Debbie Zaller, shares her opinion with NTD on the impact the CCPA is having on businesses, and how ambiguities in the law are making it difficult to comply. Read the full article below or on the NTD website.

By Catherine Wen

A sweeping consumer privacy law went into effect in 2020 in the state of California, but it seems many businesses are still not yet ready to comply.

The California Consumer Privacy Act (CCPA) is one of the most significant regulations overseeing the data collection practices of U.S. companies. It gives consumers more control over their personal data, allows them to ask businesses what data they have on them, and request that businesses delete the data or stop the companies from selling the information.

Although it’s a California state law, “the resources required to verify whether somebody’s really a Californian or not may make it not worthwhile for businesses to do that. And they may end up applying the rights much more broadly than they really apply,” said Laura Jehl, Global Head of Privacy and Cybersecurity Practice for the law firm McDermott Will & Emery.

Some retailers, including Home Depot, will allow shoppers not just in California but around the country to access such information online.

According to a fact sheet (pdf) from the California state attorney general’s office, the new law applies to companies with annual revenues of over 25 million dollars; those that buy, receive, or sell the personal information of over 50,000 people; and those that derive 50 percent or more of their annual revenue from selling consumers’ personal information.

Asides from retailers, the law affects a broad swath of firms including social media platforms such as Facebook and Google, advertisers, app developers, mobile service providers, and streaming TV services, and is likely to overhaul the way companies benefit from the use of personal information.

Consumers can now see a “Do Not Sell My Personal Information” link at the bottom of some retailers’ websites such as Target, Walmart, and Home Depot. But according to two privacy experts who have been helping businesses prepare for compliance, it doesn’t seem like all businesses are fully ready.

“A lot of them are not,” said Jehl, “You can blame some of that on the sort of last-minute rollout of the regulations and the amendments to the law. A lot of companies were waiting to see what was going to happen.”

The CCPA was signed into law on June 28, 2018, and additional substantive amendments were signed into law on Oct. 11, 2019. The effective date was only two months later, on Jan. 1, 2020.

The law follows Europe’s controversial General Data Protection Regulation, which set a new standard for how companies collect, store, and use personal data. The European law gave companies years to comply, while CCPA has only given them a few months.

Besides the rushed deadline, ambiguities with the law itself also make it difficult to comply. For example, the definition of “sale of information.” “This is really a difficult area for a lot of marketing companies,” said Debbie Zaller, a privacy practice leader at Schellman & Company.

"I think people are trying to figure out how it applies to their business and how does it affect their business."

“They’re really trying to figure out if this law applies to what we do. Does the sale of information mean that, if we just transfer information to another organization, does that count as a sale? I think people are trying to figure out how it applies to their business and how does it affect their business,” said Zaller.

The vague definition also allows some companies to push back against the new regulation. Facebook has said it is exempt from CCPA, as it does not directly sell the data, but sells ads based on the information it collects.

The law won’t have enforcement power until July 1. According to Jehl, from now until then, expect “more confusion, continued development of the law, and a lot of legal challenges.”

An economic impact assessment prepared for the California Attorney General’s office by an independent research firm found compliance with the regulations will cost businesses between $467 million and $16.5 billion between 2020 and 2030. Industry estimates peg initial compliance costs at over $50 billion.

Several other states are considering their own privacy laws. New York state proposed a data privacy law, but failed to pass. Some other states, including Massachusetts and Connecticut, are considering their own privacy laws.

Federal lawmakers are looking at California as a guide as they consider a federal privacy law. But lawmakers disagree over several issues, including preemption of state laws.

Reuters contributed to the report.

About the Author

Debbie Zaller

Debbie Zaller is Chief Operating Officer at Schellman. Debbie is responsible for maintaining and driving operational results and executing the firm's strategic goals. Debbie oversees all daily operations of the firm while spearheading the development, communication and implementation of effective growth strategies and processes. Debbie has over 21 years of IT compliance and attestation experience. Debbie led the firm's Midwest, Southeast, and Northeast regions along with the national service lines of SOC 2 and Privacy service lines as Managing Principal before assuming the position of COO in 2021. Debbie holds a Master of Accounting degree from the University of Florida. She is a Certified Public Accountant, Certified Information Privacy Professional/United States, Certified Data Privacy Solutions Engineer, Certified Information Systems Security Professional, Certified Information Systems Auditor, and Certified Cloud Security Knowledge. She is currently an AICPA-approved and nationally listed SOC Specialist and speaker on various privacy topics. Debbie was on the AICPA Task Force for the Advanced SOC for Certification Exam, was a member of the Florida Institute of Certified Public Accountants Board of Governors and served on the Finance and Office Advisory Committee.

More Content by Debbie Zaller
Previous Article
What the Coronavirus Means to Your ISO Audit
What the Coronavirus Means to Your ISO Audit

You’re probably aware of a new strain of virus that is manifesting all around the globe, one that has you c...

Next Article
What I Learned at Career Day
What I Learned at Career Day

Talking with 4th graders on security testing, online safety, and job skills for infosec.


First Name
Error - something went wrong!