CCPA goes into effect on January 1, 2020 and aims to protect California’s 39 million inhabitants against the ever-growing threat to privacy. The law will grant unprecedented power to individuals by giving them choice in regards to the collection, sale, and deletion of their private data. Despite being a state law, large, medium, and even small companies throughout the country will be affected by it.

The California Consumer Privacy Act (CCPA) is viewed as a savior for privacy, arriving to protect consumers’ data. Unfortunately, it may fall short of reaching hero status.

There are few requirements to be subjected to CCPA rules: for-profit companies must either gross over $25 million, manage data of 50,000 or more California residents, or derive more than 50% of their revenue from the sale of data.

An International Association of Privacy Professionals examination of the statute estimates that around 500,000 companies nationwide will have to comply with CCPA. The issue for businesses is that they will not only be subject to CCPA but will simultaneously be impacted by other states’ privacy legislation.

Six states already have privacy laws in place (Connecticut, Nevada, Maryland, Maine, New Jersey, and Delaware), and six others will have their own set of legislation by early 2020 (Washington, Michigan, Illinois, Oregon, Texas, New York, and California).

In the unfortunate but very realistic scenario of a data breach, small and medium-sized companies will be fined millions of dollars and may become financially impaired. Micro companies may be pushed into insolvency for simply exposing email addresses gathered through social media campaigns.

The result will not be death by a thousand cuts but instead crushed by a thousand boulders. The noble purpose of CCPA is to protect the population, but the penalties may be too harsh for the crime.

Opening the door for cyberterrorism

The financial hardship caused by privacy law penalties may be a target for cyberterrorism. If a foreign body hacks into a few large companies and exposes consumers’ data, states will prosecute and hand out fines that could reach hundreds of millions of dollars per company.

Cyberterrorists could put the American legislation system against the very people it exists to serve. If financially challenged companies were to succumb due to colossal fines, not only would Wall Street suffer devastating losses but thousands of workers would lose their jobs.

Destabilizing the American economy through a large-company data breach could start with something as simple as hackers getting access to networks through a compromised password. Possibly having 50 regulating bodies fine a company for the same incident seems excessive.

In comparison, Europe has adopted a single continent-wide set of privacy rules referred to as General Data Protection Regulation (GDPR). CCPA and GDPR are similar laws, in that both aim to give consumers more control over their private information.

There are, however, noticeable differences, such as GDPR requiring explicit permission from consumers to capture their data, where CCPA only gives the option to deny its sale or sharing. Also, the approach to calculating fines differ, but in both cases, penalties are considerable and may financially cripple some companies.

Despite GDPR being a strict law, it does not have the complexity of managing dozens of different statutes as it will happen in the United States.

Federal legislation

Both Republicans and Democrats agree that federal law over data privacy is needed; however, an actual bill is nowhere in sight. Lawmakers disagree on many topics, including enforcing the legislation and how much liberty states will have to create their own rules.

The goal of a federal bill by year’s end does not seem achievable, and all signs are pointing to the states individually legislating over data privacy. The result of federal lawmakers’ incompetence in putting together data privacy statutes will become hardship borne by our country’s businesses as they navigate through the maze of various state laws.

Despite CCPA and other state privacy statutes possibly being too tough on businesses, the outcome will be beneficial for the consumer. Identity theft haunts millions of victims every year, and the effects could be felt for a lifetime.

The modern world is digital, and having regulations in place to protect our private data is not only positive but essential. Despite CCPA applying just to residents of the Golden State, it will rule nationwide, even internationally, and businesses will have to adjust to it or face the consequences.

David Harding

CTO at ImageWare Systems

David Harding is the CTO and senior vice president of ImageWare Systems, a leader in mobile and cloud-based identity proofing and biometric authentication solutions. David, an accomplished, international executive with more than 25 years of technology implementation and management experience, is responsible for strategic design, technology infrastructure and core strategy from concept through delivery. Before joining ImageWare in 2006, David held several CTO and executive management positions, including at at IC Solutions, Inc.,, Fulcrum Point Technologies, Inc., ProSoft, and Access360, which is now part of IBM/Tivoli.