The California Consumer Privacy Act (CCPA) of 2018 goes into effect Jan. 1. One way to describe it is as California’s answer to the European Union’s General Data Protection Regulation (GDPR).

Though there are significant differences in the specifics, both the CCPA and GDPR will and have had significant impacts on business. Before you dismiss either as irrelevant to your organization, here are a few things to consider.

Wait give me that back!

It is almost easier to understand the impact of CCPA from the consumer perspective. As consumers, the CCPA gives us the right to understand the data a covered organization has on us and what they intend to do with it.

Further, if the covered company decided to do anything else with our data, they also have to tell us. We can also opt out of those uses and ask for our information to be deleted. However, we also have the right to opt back in without previous data collected on us coming back into consideration.

This may sound great for us as consumers, but as we saw with the GDPR, it can be quite onerous for organizations (unless you have the resources of Google). CCPA is poised to be just as problematic from both a system and processing side as GDPR, but in different ways.

Can’t sell anything bought, sold or processed…

CCPA is different from GDPR in a few specific ways, but in general they both address “rights of access, portability, and data deletion” for consumer information. This means, according to this International Risk Management Institute summary, covered companies have to explicitly note the sources, categories, commercial purpose, and specific pieces of personal information the business has collected about the consumer.

Further, covered organizations must also disclose the sources and commercial purpose for collecting or selling the information in addition to whom they are providing the information.

In other words, if we are using someone’s personal information that can be linked to them for business purposes, we need to be able to clearly let that person know and give them the option to opt out. We also must be able to track and respond to those requests, monitor them for compliance and of course, have systems in place to ensure we are actually accurately deleting their information as requested.

Not me or just not now?

This Fortune article nicely summarizes who will be required to comply by Jan. 1: “companies with more than $25 million in gross revenue, businesses with data on more than 50,000 consumers, and firms that make more than 50% of their revenue selling consumer data (i.e., data brokers).”

That same article also noted an important point: many organizations were expecting the bill to either be watered down as a result of aggressive lobbying by tech companies or overwritten by a federal law. Neither happened by the September 2019 deadline. This underscores an important trend in favor of consumers’ rights around their information.

It is a trend that is here and will continue. Whether you meet this first round of requirements or not, be prepared for transparency and consumer rights to information to expand and the gathering, reporting and selling requirements of their information to become more rigorous and transparent.