Ready or not, here comes the California Consumer Privacy Act (CCPA). On January 1, 2020, CCPA requirements will take effect and California's internet users will be enshrined with new digital rights. The CCPA follows in the footsteps of the EU's GDPR and is the most important consumer data privacy legislation ever passed in the United States.
California is now the world's fifth largest economy, ahead of France, India, and the UK. That means the CCPA is not merely a state regulation. It represents a fundamental shift in how data privacy will be treated in the United States and businesses across the country must take compliance seriously.
Unfortunately, our research shows that 43% of IT professionals in the U.S. have no familiarity at all with the CCPA, while 44% report being only somewhat familiar with the regulation. That's a problem because CCPA fines can reach $7,500 per record violated. That means an event involving just 134 records could result in a $1 million fine.
“the right to request a business to disclose the categories and specific pieces of personal information that it collects about the consumer, the categories of sources from which that information is collected, the business purposes for collecting or selling the information, and the categories of 3rd parties with which the information is shared."
The CCPA follows, and in many ways mirrors, the EU's GDPR. In fact, the CCPA was passed unanimously by California lawmakers in June, 2018, only a month after GDPR took effect.
The CCPA applies to all for-profit businesses that belong to any of the following categories:
Have annual gross revenues in excess of $25 million.
Earn 50 percent or more of annual revenues by selling consumer data.
Buys, sells, or otherwise handles the data of 50,000 or more consumers, households, or devices annually.
CCPA penalties can reach $7,500 per violation and the regulation allows for a private right of action—that is, consumers may privately sue companies under the regulation. However, the terms of the private right of action are somewhat narrow and statutory damages are limited to between $100 and $750 per incident per consumer. Due to the complex process and limited individual damages, the private right of action might provoke a large number of class-action suits.
The CCPA protects residents of California, but not those in the state temporarily or for travel. With that said, the reach of the CCPA is broad considering the state's vast population. According to Section 1798.140, protected information is described as that which:
“identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household."
The bill goes on to specify an array of information that could be relevant such as biometric, geolocation, browsing history, and even olfactory. This means that companies must consider not only traditional customer records and databases, but also unstructured data that might conceivably be connected to a user.
The CCPA facilitates several new rights for California's internet users including:
The right to know what personal information is collected and the purposes for which it is used
The right to opt out of the sale of personal information.
The right to request deletion of personal information.
The right to equal service and price (i.e., the consumer will not face negative repercussions for exercising CCPA rights).
To find out more about CCPA requirements, we spoke with privacy expert and legal writer for the Association of Certified Fraud Examiners (ACFE), Ron Cresswell, J.D., CFE, CIPP/US.
GetApp: There are many similarities between the CCPA and the GDPR. What do you think are the most notable differences?
Ron Cresswell: The CCPA is very focused on the sale of personal information. Under the CCPA, a consumer can instruct a business not to sell their personal information to third parties, and the business has to comply with that request. That's called the right to opt out. Once a consumer has opted out, the business has to wait 12 months before asking for reauthorization to sell the consumer's information.
The GDPR doesn't have an absolute right to opt out of third-party sales, although consumers can restrict certain sales under some circumstances. Also, under the CPPA, every covered business that sells personal information must have a conspicuous link on its internet homepage that says “Do Not Sell My Personal Information." Exactly that language. And the link has to take you to a page that allows consumers to opt out. There's no equivalent requirement under the GDPR.
The CCPA also requires different disclosures in online privacy policies, so companies covered by the CCPA will need to update their policies. And the CCPA requires privacy policies to be updated every 12 months.
GetApp: Which CCPA requirements do you feel are most likely to cause compliance problems for affected businesses?
Ron Cresswell: If you sell personal information to third parties, you need to set up a system to track opt out requests. And you have to wait 12 months before asking for reauthorization, so you'll need to track all relevant dates and train your staff accordingly. Also, what if your standard emails or other communications with consumers give them the option to consent to third-party sales? Under the CCPA, consumers who have already opted out shouldn't be seeing that option.
GetApp: If a company has not yet begun to prepare for the CCPA, what should it do to get started?
Ron Cresswell: If your company already has a GDPR compliance program, you have a significant head start because you've already mapped out your data flow. If not, you'll need to figure out what personal information your organization collects, where it's stored, who it's shared with, etc.
To review, Ron Cresswell suggests the following for covered businesses:
Determine what personal data your company collects and whether it's being sold to third parties.
Add a homepage link displaying "Do Not Sell My Personal Information" that connects to an opt out page.
Track opt out requests and make sure to wait at least 12 months before asking for reauthorization, through email or otherwise.
Review privacy policies in light of CCPA requirements and ensure they are reviewed every 12 months.
Since its inception, the CCPA has been targeted by numerous attempts to weaken its protections, primarily by the Internet Association—a lobbying group representing numerous big tech companies. But despite those efforts, on September 13, the CCPA survived the final day of California's legislative session with only minor amendments.
On September 17, less than a week after their lobbying effort against the CCPA failed, the Internet Association launched a new campaign for a federal privacy law. That might be because powerful industry lobbying groups are likely to have more influence over a federal privacy law, potentially making it less rigorous than the CCPA and other state privacy laws that it's already inspiring.
It's probably a matter of time until a federal privacy law supersedes the CCPA, although that might still be a few years down the road. By gaining compliance with the CCPA now, businesses will be well positioned to comply with an inevitable, and perhaps less demanding, federal privacy law.
The data security survey referenced in this article was conducted by GetApp in June 2019 using Amazon Mechanical Turk among 714 respondents who reported full-time employment in the United States, 207 of which identified as IT professionals.
This document, while intended to inform our clients about CCPA requirements, is in no way intended to provide legal advice or to endorse a specific course of action.