If you’ve been skimming through recent filings with the SEC, you might have noticed a handful of mentions of the CCPA. These aren’t references to the Canadian Cashmere Producers Association (which is, in fact, a real thing), but rather a sea change in privacy law.
The California Consumer Protection Act, which goes into effect on January 1, establishes a broad range of consumer privacy rights for residents of California. Among them, consumers will have the right to request the data that companies collect on them, the purpose of collecting the data, and how the information is used. Consumers can opt out of allowing companies to sell their data to third parties or even ask companies to delete the information. Additionally, they will have the right to damages from data breaches of companies with inadequate security measures.
Notably, the new rules apply to companies that do business or simply display a website in the Golden State, even if they are not headquartered there. In other words, no matter where their headquarters are located, companies that don’t comply with the CCPA will lose access to the world’s fifth-largest economy. As a result, companies will essentially treat the CCPA as a national law, according to privacy experts.
Historically, the clout that comes with California’s size has helped make a standard-bearer on a number of issues going beyond data privacy. The present moment is no exception. The state is currently butting heads with the National Collegiate Athletic Association over a bill passed by state legislators to allow college athletes to profit from their names, images, and likenesses. An agreement with four car manufacturers to tighten their fuel-efficiency and emissions standards beyond federal requirements has rankled the Trump administration and may lead to a legal showdown. Meanwhile, California policymakers are tackling the thorny classification of “gig economy” workers, passing a bill that generally designates them as employees rather than independent contractors.
California’s pioneering privacy law comes on the heels of the enactment of similar rules in the European Union known as the General Data Protection Regulation (aka GDPR). That one-two regulatory punch has prompted disclosures in SEC filings. In the last year, the number of U.S. publicly traded companies citing risk factors relating to cybersecurity, data privacy and information technology has spiked 4.5%, according to Intelligize data. The uptick for companies headquartered in California is even higher at almost 11%.
It’s clear, however, that the CCPA is having an effect everywhere in the United States. As an example, New Jersey-based Automatic Data Processing Inc. said in its 2019 annual report that complying with the CCPA and GDPR “may result in significant costs to our business and require us to amend certain of our business practices.” Two Massachusetts-based companies have also cited the CCPA as a risk factor. Talking about the California law and the GDPR in a quarterly report this summer, TripAdvisor Inc. noted that “implementing and complying with these laws and regulations may be more costly or take longer than we anticipate.” Akamai Technologies Inc., meanwhile, indicated in a quarterly report that the growing regulatory focus on privacy “could expose us to increased liability.”
Whether they view the CCPA as a California dream or nightmare, the reality for publicly traded companies is that they will find themselves wrestling with its standards, no matter where their headquarters are located.