Primer: California Consumer Protection Act

What is CCPA?

In 2018, the California legislature passed the California Consumer Protection Act, a bill aimed at boosting consumer privacy for state residents. The law came as a small coalition prepared to push a ballot initiative in November 2018 following headline-grabbing stories about privacy missteps by some of the largest Internet companies. To convince the ballot initiative’s author to pull the measure before a mid-year deadline, the legislature quickly took up and passed the sweeping privacy legislation, leaving many startups and other small companies confused about  what the law will mean for them when it takes effect in 2020.

How does the law affect startups?

The CCPA debate is not about deciding between consumer privacy and the ability for companies, including startups, to do whatever they want with consumer data. If anything, the law will arguably impact startups the most, as new and small companies stand the most to lose when shady data sharing and data breaches prompt a loss of consumer confidence in online services. Unlike large companies, which have the time and resources to comply with the law, startups on bootstrap budgets will have to make costly sacrifices to navigate the broad, unclear requirements in the new law. The costs to comply with CCPA are significant and will largely apply no matter the business model.

Specifically, the way the law defines things like “personal information” and “sale of data” creates ambiguity around everyday business practices that many companies rely on, especially startups that use advertising to offer services to consumers for free. Even if a startup doesn’t “sell” consumer data as defined in this law, it may rely on larger platforms that will stop offering services out of fear of running afoul of the law.

While there is a small business exemption in the CCPA, it is written so narrowly that it won’t cover anyone but the smallest brick-and-mortar businesses. Any company that has more than $25 million in annual revenue, has data on more than 50,000 users or devices, or gets 50 percent or more of its annual revenue from selling consumer data doesn’t qualify. That might sound like it covers a lot of California’s startups, but it won’t. A website that has 17,000 users, each of whom visits from a smartphone, tablet, and computer, would no longer qualify for the small business exemption.

What’s next?

Before the law goes into effect in 2020, the California legislature can make tweaks to to clarify the law and make it easier for startups to comply without changing underlying privacy protections for users. California lawmakers should tailor the definitions—especially the terms “personal information” and “sale”— to target the practices they’re specifically worried about.

As the state legislature reconvenes in 2019, it’s critical that they hear from startups about ways the law can be improved before it’s too late. If you work for a startup that will be impacted by the law, make your voice heard now. Contact Engine to find out how you can help.

Download this printable primer.