By Jay Bemis | Advertising Systems Inc.
With just a few months looming until advertisers are expected to comply with California’s new data privacy act, only about 8 percent of businesses are prepared for it, according to a recent survey by consent solutions provider PossibleNow.
Other polling suggests that only about half of businesses say they’ll be ready for the new law by Jan. 1, when it officially takes effect, and another quarter say they’ll be ready by July 1, 2020, when the act becomes “enforceable” by the California attorney general’s office.
The California Consumer Privacy Act (CCPA) comes on the heels of the European Union’s somewhat similar General Data Protection Regulation, which went into effect last year.
“Just as with GDPR, a significant number of businesses are caught between the cost and the effort of complying with CCPA and the probability of enforcement actions against them,” Eric Tejeda, head of marketing at PossibleNow, said of his company’s polling results showing that only 8 percent of businesses that are ready for the California law.
Companies like Tejeda’s help businesses and marketing teams compile technological solutions for online challenges such as GDPR and CCPA.
One hurdle for businesses is that the California Assembly keeps adding amendments to its legislation — seven were voted upon and added in July alone.
Also causing businesses to procrastinate a bit is the six-month window between when businesses are expected to comply with CCPA on Jan. 1 and when it actually becomes “enforceable” on July 1. Thus, they’re taking a wait-and-see approach to see what happens with companies that meet earlier compliance.
Similar to Europe’s privacy act, California’s law gives online users the right to know what information companies are collecting about them, why the companies are collecting that data and with whom the data is shared. Californians also can tell companies to delete their information or not sell or share their data.
CCPA applies particularly to those companies with annual gross revenues totaling $25 million or more, those that buy or sell customer data on more than 50,000 individuals and those that make more than half of their annual revenues from selling customer data.
It also makes it easier for consumers to sue companies after a data breach, bestows more authority for the state’s attorney general to fine companies that don’t comply with the new rules, and it makes it more difficult to share or sell data on children who are younger than 16.
In Europe, meanwhile, enforcement actions continue to be levied under the GDPR, which in July levied fines of $228 million upon British Airways for leaking data on a half-million customers and $124 million against Marriott International for exposing a variety of personal data from 339 million guest records worldwide.
Don’t Expect U.S. Data Protection Act Anytime Soon
A revelation by Facebook last year that it had released private information about 85 million of its users to Cambridge Analytica has raised calls for the United States to adopt a national privacy law similar to the GDPR. Any U.S. law, however, probably would look more like California’s privacy act since Europe and the United States historically have regulated privacy differently.
Congress just returned from a month-long recess, though, with no data-privacy proposals yet introduced to what remains of its 2019 hopper.
As Politico recently reported: “The limited legislative days left this year are expected to be dominated by budget and debt ceiling battles, and the intensifying election campaign will further suck up political oxygen going into 2020.”
During a congressional hearing in July, before Congress went into its August recess, Sen. John Kennedy, R-Louisiana, lamented the lack of action on data privacy legislation.
“We’ve been talking for what, two years about a privacy bill?” Kennedy asked. “Haven’t seen one, don’t know if we’ll ever see one.
“We need a microwave, not a Crock-Pot here.”
