The California Consumer Privacy Act (CCPA) went into full effect on January 1, 2020 and while the majority of companies understand why the Act is going into place, many aren’t fully aware of the bigger implications - how businesses will be affected holistically, how to prepare, and what may be coming down the pipeline in regards to new data privacy regulations. In fact, a recent study from Ethyca found that only 12 per cent of companies have reached an “adequate state of compliance” ahead of the new data privacy regulation becoming law.
The study also revealed that more than 70 per cent of companies have not built or implemented any sort of solution for policy compliance. Rather, companies are opting to simply retrofit old processes, or requesting employees put in extra hours to ensure they’re compliant with how they collect and store data. However, companies that choose to rely on manual, outdated solutions are exposing themselves to regulatory risks.
The brass tacks, guidelines and rules to follow
Under the CCPA, California consumers have been given broad new privacy rights and have the right to ask that any business disclose to them what personal information they hold about them or their household. They can also direct a business not to sell their personal information, and request that it delete all collected data. However, the deletion request is not absolute and provides flexibility to companies that need to retain the data for legitimate business reasons; for example, to complete a contractual obligation or because there is a legal reason to retain the data, such as for tax legislation reasons.
Under the CCPA, businesses that do business in California, irrespective of whether they are based California, and that process data about California consumers, must be more transparent about how they manage, store and use their Californian customer’s data. With a few exceptions, a business must disclose, upon request, the specific personal information it has collected about any individual Californian consumer and if that data has been sold, then also provide additional details.
The law applies to for-profit businesses that do business in California and meet any of the 3 criteria listed further below. Businesses that meet any of these criteria need to work with internal employees on how to appropriately gather a consumer’s information, how and where to store it, and under which requests they are obliged to share it.
How to prepare properly
Considering that many U.S. and even worldwide businesses ship products to California, or have online properties (e.g., websites) that are available to Californians, a significant number of businesses will need to make timely preparations and ensure ongoing compliance processes are in place. Under the law, Californian consumers have a new private right of action for data breaches with legal penalties for non-compliance ranging up to $750 per breach (or actual damages if greater). However, beginning July 1, 2020, the legal penalties for a data breach could increase significantly (to a maximum penalty of $7,500 per breach) if the attorney general is involved in pursuing the legal action. This would prove very costly for companies, and is a line item that certainly needs to be factored into 2020 budgeting; in fact, the new privacy law could cost companies a total of up to $55 billion in initial compliance costs, according to an economic impact assessment prepared for the state attorney general’s office by an independent research firm.
In order to prepare for this new legislation, businesses must:
- Determine whether or not the CCPA applies because they meet one or more of the criteria below:
- Has global annual gross revenue in excess of $25,000,000; or
- Alone or in combination with another business, buys or sells the personal information of 50,000 or more consumers, households or devices; or
- Derives 50 per cent or more of annual revenue from selling consumers’ personal information
If the CCPA does apply:
- Ensure it is ready for the CCPA’s “look-back” period, which requires them to be able to disclose personal information for 12 months prior to the date of any disclosure request, and
- Train employees on what the CCPA is and how any internal processes may change, and
- Provide a toll-free service line for incoming CCPA requests
CCPA’s immediate effects for businesses and consumers
Many companies today have created a lucrative business from their users’ personal information. In fact, many tech companies allow advertisers to target users based on demographics, search history and preferences. And, for the most part, companies could largely do what they pleased with consumer data - until now.
While compliance with this legislation may feel daunting, amendments have been made to the law to make certain aspects easier. For example, HR information and personal information in the context of B2B communications have been exempted from the law until 2021. Over the next few months, businesses will look to Silicon Valley and big tech companies to take the lead in CCPA compliance - they have the money, the manpower and the technology to do so, in vast comparison to their startup counterparts.
Impact of this regulation on a larger scale
While there are state-specific notification laws surrounding how companies need to respond in the event of a data breach, Congress has yet to pass federal legislation addressing how companies are to gather and use consumer data. However, with the GDPR going into effect last year, Europe is ahead of the game in ensuring that consumers are protected. The GDPR currently serves as the gold standard (and the most stringent) of data privacy laws.
In the United States, state-level momentum for comprehensive privacy bills is at an all-time high. Soon after the California Consumer Privacy Act passed in 2018, multiple states proposed similar legislation to protect consumers within their own borders. Nevada and Maine have already passed their own laws while New York, Hawaii, Massachusetts and Washingtonare all considering their own laws with varying degrees of austerity and imminence.
Generally, businesses across the U.S. should use California’s new legislation to get a head-start on preparing for any new regulation that might be coming to their home state or at a federal level. When enacted and incorporated correctly, this type of regulation has the potential to have a positive influence on both consumers and corporations alike.
Learn more about the CCPA and access useful resources that can help businesses adapt and become compliant in time for the new legislation here.
Adam Prince, Vice President Of Product Management, Compliance, Brexit and Migration, Sage