The Irvine Chamber of Commerce hosted a lunch event on the New Calf Data Privacy Act aka CCPA. This Act was forced upon and through the Legislature by the threat of a Ballot Initiative. As a result it is about as well written as a 2nd graders what I did this summer essay.
(Authors Note) It’s a confusing pile of spaghetti to say the least. I will do my best based on my humble notes and the great slides & information presented by the US Chamber of Commerce to give you all the basics.
Ok now we know it’s a dumpster fire piece of regulation and it has gone into effect. Now what, well the good news is that it appears that the Attorney General does not expect to enforce the act until July 2020. Also how it will be enforced is still up in the air as the Attorney General has not drafted guidelines for enforcement. (as of the time of this presentation) (Authors Note: as with any new regulations there will be court challenges and as cases resolve we will get a better idea of the full impact of the CCPA. We will also see how aggressively the Attorney General (AG) enforces the law and how the courts rule and create case law. It in common practice for AGs to find and easy target with deep pockets to make an example out of them)
Who does it effect more businesses than most folks realize. For example: 50,000 transactions divided by 260 work days a year is 139 transactions, so a food truck that a uses mobile device driven credit card reader could easily get ensnared by this Act.
The CCPA is vague as to what is privacy. In addition it is up to the Business to determine how to “Verify” a consumer request. As well as prevent non-public information being given to scammers posing as a consumer. Talk about being caught in the middle, you have to verify it is the person they say they are or face civil action And prevent sensitive data from getting into the wrong hands which also can lead to legal sanctions.
The CCPA definition of a sale is based on a different definition than usual ie. Sharing a data base (CCPA) rather than the generally accepted definition, based on an exchange of goods or services in return for a monetary value.
It will be costly to provide data to consumer and right to opt out of their data being sold, if you sell do sell data you Must have a Do Not Sell Button for them on your website.
You can not discriminate against customers who opt out or exercise their rights ie customer loyalty programs if yo are a franchise of a larger org or biz your are considered to be a part of the bigger org – biz and the rules apply.
General Exceptions HIPPA GLBA (Gramm-Leach Bliley Act for Banking & Financial data)
The Consumer must be provided with their data if they make a verified request consumers have the right to be forgotten and their data deleted: Exceptions apply see slide below:
There are exceptions for Employee data.
For those that use Salesforce CRM there is a Trailhead Module (Free online class – training) on US Privacy Law Basics here: https://trailhead.salesforce.com/content/learn/modules/us-privacy-law-basics
There is also a Saleforce Traihead badge on European Data Privacy aka GPDR at:
Some of these exemptions expire 1/21/21 unless extended.
The presenter noted that when the European Union instituted their consumer privacy regulations aka GPDR it was was ushered in over a 2 year transition period. By all accounts the transition was not perfect but a reasonably smooth one.
The Cost to Business & the Calf Economy is estimated to be at a minimum $55 Billion dollars hit.
This does not include the hidden lost revenue due to the hours of time spend in compliance internally by sole proprietors and businesses . There is no Safe Harbor – Good Faith exemption either, which opens the door to predatory practices by Attorneys and others to abuse the CCPA much like was done by some using ADA (Americans With Disability’s Act) to threaten & bully small business with compliance lawsuits over minor violations unless the settled with them for thousands of dollars.
To further confuse matters 15 other states have pending or planned legislation.
There are roughly 4 models: California Model which we have been discussing. Washington State Model, Fiduciary Model, Florida Model.
The US Chamber of Commerce has set up a website and done a short video links below:
The US Chamber of Commerce has been active on Capital Hill seeking a Nation Wide Solution to avoid a patch work of competing regulations.
The US Chamber of Commerce has created model legislation and is advocating for a National Standard. This makes total sense because the internet is not local it reaches across the whole country and the world. With elections pending (Nov 2020) it is unlikely much will be done until 2011. They suggested contacting your Senators and Congress people in writing to express your concern about how this will effect all of us on the web.
Authors Conclusion: As the CCPA evolves one can only hope that the Attorney General take a proactive – education based approach towards good faith attempts at compliance.