On June 28, 2018, California passed the California Consumer Privacy Act of 2018 (CCPA), marking the end of a month-long break from regulation-intensive projects for business leaders around the world. For two years, anyone doing business with EU residents had been working overtime, preparing to meet the General Data Protection Regulation (GDPR) requirements before the May 25, 2018 enforcement deadline went into effect.
A little over a month later, California decided to throw its hat into the regulation ring for the protection of consumer rights of its own residents with the CCPA. This law, also known as AB 375, is not nearly as broad in scope as the GDPR, but it does touch on the same basic ideals in handing some core data-related rights over to its respective citizens.
Whether we like it or not, it is time for everyone to start gearing up for yet more regulatory compliance. It might help you to start learning more about the CCPA as early as possible.
What Is the California Consumer Privacy act?
The CCPA gives California consumers the right to demand to know about all of the information that a company collects and stores about them. Additionally, the customer has the right to know about any third parties with whom the company has shared their personal information. Finally, the new California law allows consumers to sue a company if they feel that privacy guidelines have been violated, even if there has been no data breach.
How the California Consumer Privacy Act Came to Pass
The CCPA was actually fast-tracked as a way of avoiding dealing with a potential citizens’ initiative, which was proposed by Californians for Data Privacy and was set to appear on the November 2018 ballot. The legislators thought it better to develop a basic law that they could later amend, as needed. Once the AB 375 bill was passed into law, the sponsors of the initiative withdrew it from the ballot.
The passing of CCPA was beneficial to everyone involved since, once approved, the citizens’ initiative would have required approval by two-thirds of voters or a 70 percent super-majority in each house of the legislature. Clearly, such a process would have made it difficult to make any needed improvements or refinements to it, practically locking everyone into a less than ideal piece of legislation for a long time.
The legislators not only bought time with AB 375; they also gave the law more flexibility to ensure meaningful change for consumers’ data rights in California and a way to help businesses comply fully and within the designated time frame.
Why the California Consumer Privacy Act Was Created and Passed
AB 375 was developed and passed because customers had no way of acquiring important details about their personal information, once submitted to a private business. Everyone can ask nearly any level of government about any acquired information about them through the Freedom of Information Act, but again, there was no equivalent pathway to learning this sensitive information in the private sector.
The Development and Passage of the California Consumer Privacy Act Focused on a Few Core Principles
Over the years, citizens have become increasingly comfortable with freely providing vital personal information to businesses without knowing what happens to it after completing a transaction.
The developers of the CCPA focused on creating a law intended to help California consumers understand that they are entitled to more transparency and control when it comes to their personal information. The CCPA creators focused on core data protection principles to create a law featuring requirements to hand crucially empowering rights to California consumers.
Following are the core data protection principles that shape the CCPA:
Transparency Regarding the Collection and Processing of Information.
Now more than ever, it is important that all consumers pay attention to the collection and handling of personal information. Customers should have the right to know what data companies collect about themselves, their children and any devices they use. It is also important for customers how their data may be used and to know to what third parties the business may plan to sell their information.
Control Over Data.
The proposed initiative sponsored by the Californians for Data Privacy aimed to offer consumers the right to forbid companies from selling their personal information. Further, consumers could do so without any retaliation enacted toward them in the form of refusal of service or goods when exercising their choice to control their data.
Accountability of Businesses Entrusted with Consumer Data.
It is no secret that data breaches have been gaining momentum and frequency over the past decade. Hackers will always look for new ways to infiltrate systems to steal valuable customer data. Mandatory compliance with laws like CCPA holds businesses more mindful regarding customer data. If a business does not comply with the CCPA, and customer data is compromised through a data breach, the business is held accountable.
The Key Requirements of the California Consumer Privacy Act
Essentially, the CCPA offers California consumers a suite of rights, giving them more control over their data. But what does that mean for business owners who must comply?
Following are the key requirements of the CCPA that can help impacted organizations start preparing:
Discussed earlier from the consumer’s perspective, the ability to provide transparency asks businesses to take a closer look at practices involving the collection, storage and processing of their data. Companies will need to consistently and thoroughly track the following vital details:
- Information on the categories and specific personal information collected or sold
- Details on the categories of sources from where the data was collected
- How the data will be used
- With whom the business plans to disclose personal data
The Right to Be Forgotten
This requirement is the same as it is for the GDPR in that, if a customer requests that his or her personal information be deleted, the business must comply. However, there are a few exceptions to this requirement when it comes to data that is necessary for the business to perform certain tasks, which include:
- Completing the transaction associated with the data
- Complying with any laws or regulations
- Detecting and/or protecting against illegal activity or incidents
- Identifying and repairing errors
Provide Notice and the Opt-Out Ability
Any business that collects or purchases personal data of any resident of California cannot resell that information to a third party without notifying the consumer of the proposed sale of that information. Further, the business must also provide the consumer with the choice and easy ability to opt-out of that sale.
Similar to the GDPR, the CCPA takes a more restrictive approach to these requirements when applied to children under the age of 16.
No Penalties to Consumers for Exercising Any or All of Their Rights Regarding Data
Consumers must be able to freely exercise their data rights without concern that a business might refuse to provide goods or services because of it.
However, businesses may charge special prices or fees, or they may provide varying tiers of service, based on the customer’s privacy selections. Keep in mind that a business may only charge these types of fees to extent that it recoups any lost approximate value that the company might have lost without that information in their system.
Businesses may choose to offer financial incentives to consumers to entice them to provide personal data, but they must notify the consumers and offer transparency as to the reason for the financial incentives. Further, each customer must actively opt-in to the incentive program, and they may opt-out at any time.
Businesses That Must Comply with This New Law
The CCPA applies to for-profit businesses that feature or perform the following:
- An annual gross revenue of more than $25 million
- Purchase, receive or share personal information for commercial purposes, totaling 50,000 or more consumers, households or devices
- Derive 50 percent or more of annual revenue from selling customers’ personal data
The Enforcement Deadline for the California Consumer Privacy Act
The official deadline for compliance with this law falls on January 1, 2020, but take note that affected businesses must have their data tracking systems in place at the beginning of 2019. Since the law dictates that consumers have the right to request all data related to their account, covering the previous 12 months, companies must be prepared to provide that information immediately. That means business owners need to get to work as soon as possible.
Penalties Associated with Non-Compliance
Similar to GDPR, the cost of non-compliance is astounding. The CCPA intends to impose penalties of $750 per consumer per incident or actual damages, or whichever amount is greater. So, a single incident involving 1,000 customers would cost a business $750,000.
Additionally, penalties assessed against a business, regardless of whether or not there was an active incident compromising data, can go as high as $7,500 per violation.
Read about recent laws going into act in other states: States Are Leading Efforts to Improve U.S. Data Privacy.
Have You Started Preparing to Comply with the California Consumer Privacy Act?
Do you provide goods or services to California residents? If so, you may need to learn more about the CCPA and how you can become compliant as soon as possible. Our team at I.S. Partners, LLC. can help you start planning your data tracking for January 2019, as well as developing a strategy for full CCPA compliance by January 1, 2020.