What you don't know about the California Consumer Privacy Act

Start adding items to your reading lists:
or
Save this item to:
This item has been saved to your reading list.

Before the California Consumer Privacy Act (CCPA) takes effect, many organizations still have questions about the CCPA’s impact.

What’s the CCPA’s price tag?

Forty-three percent of large companies will spend more than $10 million preparing for the CCPA, and one-fifth will spend more than $100 million, according to a PwC-sponsored survey of CIOs at companies with at least $1 billion in revenues. Ongoing compliance efforts will drive additional costs. The price tag is steep in part because of the scope of the new privacy legislation, which affects three-quarters of the state’s businesses, many of which are providing new data protections for all of their customers, not just those based in California. And CCPA compliance requirements are much more extensive than those associated with the state’s existing Shield Law.

Who’s ahead of the curve, and what are they doing?

  • Generally speaking, tech and telecom companies are the farthest out front when it comes to preparing for the CCPA. These organizations know they’re under the microscope of regulators and legislators, and several CEOs in these industries have been outspoken in support of privacy regulation.
  • Retailers are feeling the greatest CCPA urgency, in part because many have not had to deal with GDPR compliance. They face tight margin pressure, most don’t have the advantage of GDPR experience to leverage, and their fiscal year will be cut two months short due to the pre-holiday freeze.
  • Banking consumers and insurers will have two different experiences beginning January 1. Account holders with most of the largest financial institutions will be able to exercise their CCPA rights. Everyone else may be frustrated, because many of their banks and insurers plan to use the Gramm-Leach-Bliley Act exemption in CCPA and not grant those rights to account holders.

Are companies turning this into an opportunity to position themselves as protecting customer/client privacy? How?

Consumer data – preferences, behavior, health-related, and geolocation – is the most valuable type of data, according to 38% of those responding to PwC’s Trusted Data Optimization Pulse Survey. Why? Because this type of data lets companies more effectively target customers with products and promotions catering to individual needs. So regardless of whether and when a federal privacy law emerges, companies should build no-regrets workstreams.

Privacy leaders can help their executives answer two key questions for the long term: Will American consumers demand the right to access and delete their data? Will they exercise those rights in significant volumes?

Penalties are set at $7,500 per violation. Are there expectations that non-compliance will initially result in warnings, or in immediate high penalties?

The retail industry in particular is very concerned about plaintiffs’ attorneys launching their efforts in a big way in January because of the relatively high levels of per-consumer damages included in the law. The first round of lawsuits is expected to surface January through June. California’s Attorney General then will start enforcement in July.

 

Minimum

Maximum

Data breaches (plaintiffs’ attorneys)

Beginning January 2020

$100 per consumer per incident

$750 per consumer per incident

Individual rights violations (violations of rights to access, delete, do not sell -- CA Attorney General)

Beginning July 2020

“Unintentional”:

$2500 per violation

“Intentional”:

$7500 per violation

Which challenges are most likely to ensnare companies?

Figuring out:

  • Who is covered -- CCPA applies to California residents, the 37 million people who represent 12% of the US population. Because of this large share and the prospect of federal US privacy legislation, Microsoft and some large financial institutions plan to respond to all US individuals, regardless of state residency.
  • Which data is covered -- CCPA offers exemptions for personal information covered by the Health Insurance Portability and Accountability Act (HIPAA), Gramm-Leach-Bliley Act (GLBA), and other federal and related California privacy laws. But our survey says that many will not exercise this option. Large or diversified conglomerates of multiple lines of business may face difficulty knowing an inquiring individual’s data is covered by only one of these exemptions, however, and some are planning to respond to all inquiring individuals regardless of exemption.
  • How to respond to inquiries -- The larger a company, the more likely it won’t have enough time to automate a self-service option for consumers to exercise their CCPA rights. Nearly all companies will hire at least one full-time staffer to maintain their CCPA programs, according to a PwC survey. Two-thirds of companies say they will add more than 10 full-time staff and contractors, and 22% will add more than 50. Companies will also be using third-party technology more than they did for GDPR. Nevertheless,  during the first months that CCPA is effective, many individuals are likely to face a manual experience that may or may not provide them with all of their data. Smaller companies with more homogenous lines of business, however, may be ready for a more complete and automated consumer and employee experience.

If all the rules are codified as written, companies subject to CCPA are likely to be most affected by these seven provisions because of their relative difficulty to operationalize in an automated and scalable way:

  1. Treating a rebuffed deletion request as a "do not sell" request
  2. Calculating the value of personal data
  3. Giving a notice of financial incentive for data retention or sale
  4. Record-keeping requirements for businesses that receive or buy personal information
  5. Attestations for the sale of personal information
  6. Opt-out notification to third parties   
  7. Training individuals responsible for handling consumer inquiries

How does CCPA affect a company with deals in play right now?

CCPA requires businesses to “use and document a reasonable and good faith method for calculating the value of the consumer’s data.” And deal integration plans should take into account operational implications, such as the ability to respond to customers’ requests for their data.

 

Are companies building privacy capabilities not just for CCPA but for the regulatory future -- i.e., federal policy, or more states with stricter laws?

Many organizations are pivoting from one-off compliance drills to deploying enterprise privacy capabilities that will meet global privacy requirements. They’re doing so by:

  • Defining a global baseline that addresses what privacy laws share in common
  • Allocating responsibility for variances from that baseline to the regional “first line of defense” business operations

And some companies are targeting the 2020 legislative season as the time to renew privacy legislation at the state level. Nevada has already passed Do Not Sell regulations, and New Mexico is following suit.

Accelerating privacy regulation is the top emerging risk for many companies. PwC’s Risk Atlas enables a company to centralize global privacy and security regulatory requirements, controls and standards, and customize them to the organization’s business processes. It’s a one-stop nerve center for staying abreast of authoritative sources, knowing when to take action, creating a prioritized implementation plan, and tracking its effectiveness.

Contact us

Jay Cline

Jay Cline

US Privacy Leader, Principal, PwC US

Follow us