The California Consumer Privacy Act could lead to a $55 billion gold rush
It has often been said that with change comes the potential of opportunity. And many existing companies and new start-ups are embracing the changes brought by the California Consumer Privacy Act (CCPA) as they seek to cash in on a possible $55 billion gold rush created by the requirements of the act.
What is the CCPA?
The CCPA is a Californian statute designed to increase consumer protection and privacy rights. Inspired by the EU’s GDPR (General Data Protection Regulation) Act, this is the biggest change to privacy laws in California in more than a generation
Passed in June of 2018, the bill came into force on the 1st January, 2020, though it is not expected that it will be fully enforced till the middle of the year. There are six main intentions to the act:
- Letting California residents know what parts of their personal data is collected.
- For them to access that data and see what has been collected and what it says
- Allowing people to know who has access to that data and if it sold or disclosed to others.
- Giving people the right to block the sale of any of their personal data
- Giving people the right to demand that a business deletes all data collected about them.
- Know what personal data is being collected about them.
- Know whether their personal data is sold or disclosed and to whom.
- Not to face any discrimination or other action for exercising any of these rights.
The new law is not aimed at every business. Those affected have to satisfy certain criteria: they need to have gross revenues of over $25 million annually, or they need to be involved in the buying and/or selling of consumer data (with a qualifier that this data exceeds more than 50,000 units, or they need to have more than half their annual revenue coming from selling personal consumer data.
An Opportunity for Start-Ups
While the level of success the CCPA will achieve remains to be seen, there is no argument over the amount of opportunities it has created. Astounding as it may seem, many of the companies holding massive amounts of consumer data have little idea of how much data they have, how they store it, or how secure it is. There are a few companies ahead of the game, but they tend to be larger companies who have existing operations in Europe and have thus had to comply with the GDPR there, therefore giving them a distinct advantage over companies based only in California or the U.S.
One major hurdle that has appeared already is an unwillingness of many companies to fully comply with the act. Given that the state has allocated limited resources to overseeing the act, how it will be enforced remains an unknown quantity at this time. But that hasn’t stopped existing tech companies and new starts pitching ideas on how to comply and how to handle the data they already have in their systems. With some mooting a potential $55 billion expenditure to fully comply, it is little wonder so many tech experts have packed a shovel and pick and rushed to cash in on a major gold rush. But with a lack of enforcement from the state and a stubborn unwillingness on the part of many companies, will there only be fool’s gold at the end of the rainbow?
40% of America’s 600 Largest Companies Had a Functioning Data Portal
One barrier to this act working well, at least in the short term, is the dearth of functional data portals. A data portal is the virtual gateway that allows users (i.e., consumers) to access their data online. An investigation by PwC (PricewaterhouseCoopers) found that only 40% of America’s 600 largest companies had a functioning data portal. And only a fraction of the companies that did have one extended access outside of California. Some users have complained that some of the companies that do have data portals have deliberately made design and interface confusing so as to either limit access or to lead the user to making wrong decisions.
And another issue with data portals is that there are varying degrees of efficient verification, with many portals using such unsophisticated systems that impersonating another user is fairly simple, thus allowing almost anyone access to personal data.
Security: Commentators Have not Seen any Ideal Solutions
As much of the impetus behind the CCPA revolves around the ideas of privacy and security, these are the areas the tech companies and startups looking to cash in on the act need to target. There has to be stringent security measures when verifying a user’s identification to ensure people can only access their own data. So far, technical commentators have not seen any ideal solutions from the many being touted. With enforcement beginning in July – though at what level is unknown – the clock is ticking for companies to comply and for tech companies to offer ideal solutions.
Photos : miro.medium.com/vox-cdn.com/ epactnetwork.com/