California Privacy Law: Its Impact on Businesses

Schellman's privacy practice leader and principal, Debbie Zaller, shares her opinion with NTD on the impact the CCPA is having on businesses, and how ambiguities in the law are making it difficult to comply. Read the full article below or on the NTD website.


By Catherine Wen

A sweeping consumer privacy law went into effect in 2020 in the state of California, but it seems many businesses are still not yet ready to comply.

The California Consumer Privacy Act (CCPA) is one of the most significant regulations overseeing the data collection practices of U.S. companies. It gives consumers more control over their personal data, allows them to ask businesses what data they have on them, and request that businesses delete the data or stop the companies from selling the information.

Although it’s a California state law, “the resources required to verify whether somebody’s really a Californian or not may make it not worthwhile for businesses to do that. And they may end up applying the rights much more broadly than they really apply,” said Laura Jehl, Global Head of Privacy and Cybersecurity Practice for the law firm McDermott Will & Emery.

Some retailers, including Home Depot, will allow shoppers not just in California but around the country to access such information online.

According to a fact sheet (pdf) from the California state attorney general’s office, the new law applies to companies with annual revenues of over 25 million dollars; those that buy, receive, or sell the personal information of over 50,000 people; and those that derive 50 percent or more of their annual revenue from selling consumers’ personal information.

Asides from retailers, the law affects a broad swath of firms including social media platforms such as Facebook and Google, advertisers, app developers, mobile service providers, and streaming TV services, and is likely to overhaul the way companies benefit from the use of personal information.

Consumers can now see a “Do Not Sell My Personal Information” link at the bottom of some retailers’ websites such as Target, Walmart, and Home Depot. But according to two privacy experts who have been helping businesses prepare for compliance, it doesn’t seem like all businesses are fully ready.

“A lot of them are not,” said Jehl, “You can blame some of that on the sort of last-minute rollout of the regulations and the amendments to the law. A lot of companies were waiting to see what was going to happen.”

The CCPA was signed into law on June 28, 2018, and additional substantive amendments were signed into law on Oct. 11, 2019. The effective date was only two months later, on Jan. 1, 2020.

The law follows Europe’s controversial General Data Protection Regulation, which set a new standard for how companies collect, store, and use personal data. The European law gave companies years to comply, while CCPA has only given them a few months.

Besides the rushed deadline, ambiguities with the law itself also make it difficult to comply. For example, the definition of “sale of information.” “This is really a difficult area for a lot of marketing companies,” said Debbie Zaller, a privacy practice leader at Schellman & Company.

"I think people are trying to figure out how it applies to their business and how does it affect their business."

“They’re really trying to figure out if this law applies to what we do. Does the sale of information mean that, if we just transfer information to another organization, does that count as a sale? I think people are trying to figure out how it applies to their business and how does it affect their business,” said Zaller.

The vague definition also allows some companies to push back against the new regulation. Facebook has said it is exempt from CCPA, as it does not directly sell the data, but sells ads based on the information it collects.

The law won’t have enforcement power until July 1. According to Jehl, from now until then, expect “more confusion, continued development of the law, and a lot of legal challenges.”

An economic impact assessment prepared for the California Attorney General’s office by an independent research firm found compliance with the regulations will cost businesses between $467 million and $16.5 billion between 2020 and 2030. Industry estimates peg initial compliance costs at over $50 billion.

Several other states are considering their own privacy laws. New York state proposed a data privacy law, but failed to pass. Some other states, including Massachusetts and Connecticut, are considering their own privacy laws.

Federal lawmakers are looking at California as a guide as they consider a federal privacy law. But lawmakers disagree over several issues, including preemption of state laws.

Reuters contributed to the report.

About the Author

Debbie Zaller

Debbie is Principal and co-owner at Schellman & Company, LLC. She began her career in 2000 while working at Arthur Andersen in their Technology Risk Assurance practice. Debbie now leads the Midwest Region along with the Privacy, SOC 2 and SOC 3 service lines and is also on the AICPA’s SOC Specialist Task Force. She is responsible for internal training, methodology creation, and quality reporting. Debbie was a past member of the Florida Institute of Certified Public Accountants’ Board of Governors and served on the Finance and Office Advisory Committee. She also served on the AICPA’s Advanced SOC for Service Organizations Certificate Task Force.

More Content by Debbie Zaller
Previous Article
CCPA - Updated Draft Regulations
CCPA - Updated Draft Regulations

The CCPA went live on January 1, 2020. The California Attorney General (AG) has issued the second and third...

Next Flipbook
Your Guide To ISO 27701
Your Guide To ISO 27701

ISO 27701 is valuable to organizations that have an existing ISO 27001 certification or are considering an ...

Current or aspiring Microsoft vendor?

We're now providing assessments for the Microsoft SSPA Program Attestation

Learn More