Between its drafting, passage, amending, and enforcement, the California Consumer Privacy Act (CCPA) has taken a long time to take shape—five years, to be exact. As tends to be the case with large legislative initiatives—and as we cover in our Official Guide to CCPA—keeping up with the law’s developments and effects has been difficult if you haven’t had your ear to the ground on state privacy happenings in the Golden State.
But as of July 1, 2023, the law is in its most complete form. The California Privacy Rights Act (the CPRA, which amended the original CCPA) has gone into effect, and the California Privacy Protection Agency (CPPA) now has full power to implement California’s state-level data privacy regulations.
Given that we’re some years into the CCPA’s lifetime and the law will likely be enforced to a new degree, the time has never been better to step back and look at some of the impacts of the regulation. Let’s discuss how the CCPA has reshaped the expectations of consumers and the data privacy obligations to which businesses are now held.
How the CCPA Is Shaping What Consumers Expect from Businesses
Because it’s the first state-level comprehensive set of regulations, the CCPA not only shifted what California residents view as possible (and non-negotiable) when it comes to their data privacy rights. It also introduced Americans writ large to the possibility of consumer protections that had only been provided abroad through laws like the GDPR.
The string of state-level data privacy regulations that was jumpstarted by the CCPA no doubt played a large role in the seismic shift in the landscape of consumer demands and concerns regarding data privacy, which we explore in our Privacy Trends Report.
Here are a few ways that the CCPA changed the conversation around U.S. consumer protections and how it will continue impacting consumer action.
- Protecting consumer rights: The CCPA enshrined the rights of California residents to access, delete, and rectify their data. It also provided them with the option to limit the type of sensitive or personal information businesses can access and use.
- Driving consumer privacy requests: Following the passage of the CCPA, millions of Californians are exercising their rights through data subject requests (DSRs), and 2022 saw a 72% increase in DSRs from consumers.
- Empowers consumers to opt-out of sharing: The CCPA also requires that companies honor opt-out requests from consumers who ask that businesses not use their data in the first place. 34.7% of privacy requests in 2022 were opt-out requests, which is no surprise, given our findings in 2020 that 62% of consumers crave the right to deny businesses access to their data.
- Increasing consumer awareness: Part of the CPPA’s $10 million budget will go to education initiatives designed to increase consumer awareness of privacy rights (which is already growing) and ensure they’re being honored.
How the CCPA Impacts Business
Of course, as these privacy rights and protections have been enacted, companies must begin observing them—and doing so impacts the operations of any organization.
Some of the material and philosophical implications for companies operating in California include:
- Increasing privacy’s cost: In 2022, it cost businesses $648,000 per million identities to process consumers’ requests to access or delete their data—a nearly 60% increase from the $409,000 per million IDs it cost to process DSRs in 2021.
- Raising number of fines issued: The Agency will now be able to focus its attention exclusively on enforcing data privacy regulations, holding businesses accountable, and protecting the rights of consumers. This likely means that closer attention will be paid and more penalties will be issued. The CPPA has demonstrated a particular focus on “dark patterns” and other manipulative practices that invalidate consent.
- Centering data minimization and clear data usage practices: The CCPA encourages data minimization practices in order for businesses to ensure they’re only collecting and using the data they need—with the hope of improving data security and privacy practices while driving down the number of data breaches.
- Encouraging tight third-party vendor management: While a crucial foundation for understanding the data makeup of a company, data mapping tends to miss 50% of third-party SaaS apps. This leads to huge amounts of data sprawl, so companies must address this by keeping close tabs on third-party vendors, contractors, and service providers.
This list of the CCPA’s effects on companies and consumers only provides a partial snapshot of the rich and complex landscape of California’s data privacy laws and developments. For a deeper dive on these impacts and a breakdown of action steps to address these areas, consult our Official Guide to CCPA.
Keep Up with Regulations While Honoring the Privacy Rights of Californians
With the CCPA, compliance is a key part of satisfying regulators and cultivating trust with California consumers. Given how many components of enforcement will likely kick into high gear—and how many areas of your business processes and protocols have data privacy implications, there are many little (yet important) steps that go into building a compliant and effective data privacy program.
DataGrail can help with areas like data mapping, DSR automation, and privacy risk assessments—that way you can focus on other privacy initiatives and crucial business goals. Contact us to request a demo and get started.