How Much Is the California Privacy Act Going to Cost You?
Interesting topic. From reports in the press, we haven’t even put General Data Protection Regulation (GDPR) to bed yet. If you are unfamiliar with the California Consumer Privacy Act (CCPA), you may like to read our previous blog that offers an overview of CCPA. What we didn’t get into in that blog is what CCPA means to organizations regarding penalties and fines. Well you’ve come to the right place – that’s what we are going to look at here.
California is a big state. With a gross domestic product of $2,971 billion, a $2.9 trillion economy, and 39.6 million people, the chances are that your organization may have customers there. If not, don’t think you are off the hook. Read on, as the majority of US states will probably be implementing similar laws.
Won’t that be a mess? Consumers are happy and businesses and organizations are up in arms. If, and that’s a big if, companies had become GDPR compliant, this wouldn’t really be a big deal. Unfortunately, that was not the case. What follows are the key costs associated with the CCPA, and the possible ramifications for businesses who really don’t want to clean up their data.
If an organization has incurred a data breach, a citizen may initiate a civil action to recover damages. Interestingly, the law presumes the data will be misused. Damages range from $100 to $750. To put this in perspective, think the Marriott Starwood Hotels data breach, with 5 million people affected. That’s a chunk of change.
Consumers can bring action against a company that has notified them that a breach occurred and informed them, “Your data may have been accessed or stolen.” Don’t you just love it when they use the word ‘may’ here? Damages can be awarded, without needing to prove actual damages. Sigh… we all should have become lawyers.
This one, I think, is legitimate. As California is leading the way, we can expect that other states will be close on its heels in passing similar data privacy laws. It appears that nothing will happen at the national level any time soon. Wake up Washington. This does cause a problem for businesses, as they will need to comply with all state laws, which could get very messy. Or they become GDPR compliant.
So, what are some of the predicted dire consequences and burdensome obligations of this law?
- Data consolidation becomes a priority – Every company must have only one data repository. Who thought of that?
- Productivity declines due to legal oversight and administration – Too many hacks will start a litigation tidal wave, and business users will not be able to keep up and won’t be able to do their jobs. It will cause audit fatigue and will create confusion.
- Uncertainty as the commerce clause challenges the mandate’s legality – Undue burden on interstate commerce.
- Skyrocketing compliance infrastructure costs – Compliance will become too expensive and will suffocate companies, prices will go up, and jobs will be lost. Wow, that one is dire.
- Company profits will override personal privacy – Really? A company would take that stance?
Well, that’s it in a nutshell – the pros and cons of consumer privacy in the Golden State. Well, not quite in a nutshell, but that’s enough for today.
If you would like to read more, here’s a good article that defines the terms used in the CCPA.