As goes California, so goes the nation
The digital privacy tsunami is coming at last to the United States and, unsurprisingly, the wave will break first on the West Coast.
On Jan. 1, 2020, California will implement The California Consumer Privacy Act (CCPA). Under the law, any company that does business in California must reveal upon a resident’s request what personal information they have collected about any California resident. What is more, Californians will have legal grounds to require businesses and data brokers to cease the sale of that information and demand they delete it.
California has an outsized impact on U.S. law and policy for a range of reasons. Taken as a country, the state would boast the world's fifth-largest economy. Its concentration of entertainment, media and technology companies make it a cultural and business bellwether. California’s progressive voter base has also made it America’s policy proving-ground on issues ranging from workers’ rights to tax law to the environment. Indeed, in state capitals across the U.S., agencies and legislators have taken notice and lawmakers have begun drafting CCPA-inspired legislation.
But perhaps the greatest reason for the Golden State’s impact on business is its population. One out of nine Americans now call the state home. Most of the world's Fortune 1000 companies, along with more than 3 million small- and medium-sized businesses, interact daily with California residents. With online commerce accounting for a growing portion of consumer spending, at least a million other small businesses sell into the state every year.
For these reasons, a major change in California law concerns most U.S. businesses, particularly as CCPA appears to be the beginning of a groundswell. As ironic as it might be that the end of the internet’s “Wild West Era” should come from the cradle of the technology revolution, it is perhaps also fitting.
How did we get here, and what should organizations think about with just a few months until the curtain rises on this new era of data transparency?
GDPR: The first data protection soldiers on the beach
The European Union General Data Protection Regulation (GDPR) took effect on May 25, 2018. The law’s aim was both simple and, in the libertarian spirit that infused the Internet Revolution, laudable: to give each individual control over who collects their personal data and how that data gets used. Businesses that handle personal data would be required to inform consumers if they capture their information and to put into place safeguards to protect that data from unauthorized use.
The GDPR also comes with strong, practical and meaningful enforcement guidelines. Noncompliance can result in fines and penalties that would be material to the affected companies’ financial results and well-being. In just one recent example, the French data protection authority fined Google approximately $57 million (the highest fine to date) for violating the GDPR.
Today, many experts consider the GDPR to be the strongest data protection law in the world. And its passage despite the challenges of legislating across the entire EU is an inspiration to legislators previously stymied in their efforts to protect consumers. Inspired by the GDPR and frustrated with the pace of regulation at the federal level, California’s lawmakers took notice of GDPR and then did what Californians normally do: they innovated, built upon the core of GDPR and created a law that could be effective and withstand the rigors of the litigious U.S. regulatory environment.
Digital transformation has a cost
Recognizing the threat of the CCPA’s enactment and seeing an opportunity for innovation, the barons of Tech Capitalism have responded, starting the adjustment process to this new business and geopolitical reality.
In August, the Business Roundtable pledged to run their organizations with the interest of all stakeholders as a priority, not just shareholder value. A driving force behind this pledge from CEOs from some of the nation’s largest companies is the increased scrutiny of how companies handle personal data.
Sensing strong consumer support for the CCPA and similar initiatives, major players across a broad swath of sectors ranging from large banks to retail have already started the compliance process for Jan. 1. An open question remains: Are the majority of non-technology organizations as ready?
Conventional belief holds that the first company caught in CCPA’s enforcement net will be a “big tech company,” and enforcement officials will be tempted to make an example of a large firm. Yet, there is a chance one of the first targets will be a smaller non-tech organization.
A common chestnut in this era of digital transformation is “every company is a tech company, but they might not know it yet.” Nearly every business organization, regardless of size, is undergoing some form of digital transformation for survival or competitive advantage. The common deployment of “digital transformation platforms” for late-stage tech adopters is the use of e-commerce, CRM marketing, online purchases, cybersecurity, cloud adoption and social sales engagement. These are now considered common business practices for “non-tech” companies.
In the race to transform, many CIOs and CTOs have, often unwittingly, left privacy concerns behind other, more pressing imperatives. While this is understandable, and to this point has not been a costly decision, CCPA changes the calculus and starts a clock for each company. It is now no longer a question of “if” but of “when” a company will find itself called upon to account for its privacy practices.
With less than six months until the law is enacted, all companies and organizations operating in California or with the need to think about:
David Baum is a senior vice president in Allison+Partners’ Corporate practice. David Wolf is the managing director of Allison Advisory, a management consultancy focused on building lasting competitive advantage for its clients by helping them understand, manage, meet, and ultimately exceed stakeholder expectations throughout the enterprise. This is the first in an ongoing series about data collection and privacy.