You’ve read about it for months now, and it’s finally here. The California Consumer Protection Act went into effect on January 1st, 2020. Unlike asking a telemarketer to put you on the mythical “Do Not Call List,” consumers’ new privacy rights under the CCPA are very real and very enforceable. We’ve waded through all the confusing information on the CCPA to put together a handy list of answers to questions you may have had when hearing about CCPA and considering its impact on your business.
What is it?
The California Consumer Protection Act, or AB-375, was passed on June 28, 2018. It is a comprehensive piece of legislation designed to significantly elevate privacy regulations and to protect California consumers from having their personal data stolen, sold, or shared without their knowledge. Businesses will be under increasing scrutiny to have complete transparency in how they are currently collecting, storing, and using consumer data.
What kind of consumer data is protected?
Be careful – the CCPA takes a very broad view of what constitutes “personal data” about consumers. It’s not just credit card information! The specific definition of personal data under the CCPA is “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” In addition to a customer’s name, this “personal information” includes: IP address, postal address, email address, Social Security Number, driver’s license number, passport number, biometric information, geolocation data, consumer photos, and messages…the list goes on. ALL of these things are now protected under the CCPA. Due to the connected nature of the growing Internet of Things, more consumer data of an alarmingly personal nature is being unwittingly shared online. The regulations under the CCPA are an attempt to control and curb the spread of that data.
What are consumers’ rights under the CCPA?
In short, the CCPA is designed to give consumers greater control legal over what information businesses know and share about them. Consumers have the right to:
- Disclosure – Consumers can make verifiable requests to know what personal information is being collected or sold about them, and businesses must disclose this information.
- Access – At the point of collection, a consumer must be informed of what type of information is being collected, and how it is being used.
- Deletion – Consumers can request to be “forgotten,” ie. they can request for all personal information about them to be deleted from a business’ system. This includes the removal of consumer information from third-party vendors.
- Antidiscrimination – Consumers cannot be discriminated against because they have exercised their rights under the CCPA.
- Ability to Opt-Out – A business must provide a “Do Not Sell My Personal Information” option on its website.
Maintaining all of these rights for consumers sounds like a big ask, but there are five main CCPA requirements that will help you achieve this. The CCPA asks that business take part in the following activities:
- In-house data inventory, mapping of relevant personal data, and highlighting instances of selling data
- Setting up new individual rights to data access and erasure
- Setting up new individual rights to opt-out of data selling
- Updating service agreements with third-party vendors and data processors to ensure that they are also CCPA-compliant
- Identifying and eliminating information security gaps and business system vulnerabilities
Will it affect my business?
“My business isn’t based in California, so I’m in the clear, right?” Not so much. There is a broad swath of companies that will have to comply.
If your business is for-profit, and if your business:
- Is owned and operated in California
- Sells to consumers in California
- Has an annual revenue of $25 million or more
- Buys receives, sells, or shares consumer data from 50,000 or more consumers, households, or devices
- Gains a majority of their annual revenue from the selling of personal data
You will be bound by this legislation! As you can see, this definition includes most of the companies in the U.S.
Are there any exceptions?
The main exceptions to the rule are where it conflicts with federal regulation. The CCPA shall not restrict a business’ ability to:
- Comply with federal, state, or local laws
- Collect, use, sell, or disclose consumer information that is aggregated consumer information
- Collect or sell personal information if every aspect of the transaction takes place wholly outside of California
The CCPA shall not apply to:
- Medical Information or protected health information, pursuant to regulations established by HIPAA
- Personal information collected pursuant to the California Financial Information Privacy Act
So, unless your industry is medical or financial (which are already strictly regulated), you need to pay close attention to the CCPA!
How do I achieve compliance?
“Ok, I get it. It will affect me. Now, what do I do to maintain compliance?” It’s all about putting in “reasonable security protection.” Your business should check for the following points to ensure CCPA compliance:
- Stringent processes and protections in place for how you collect and store customer data
- Consumer notifications of what type of information is being stored and used at the point of collection
- Strong endpoint protection and encryption
- Strong emergency processes in place in case a data breach occurs
- An Opt-Out option on your website so that consumers can request to be “forgotten”
Update your systems so that your consumers are made aware of what information you are gathering and how you are using it, and you should have no problem.
What will happen if I’m non-compliant?
There is a higher cost than ever for non-compliance, whether voluntary or involuntary. The CCPA Enforcement states that “any person, business, or service provider that violates the CCPA shall be subject to an injunction and be liable for a civil penalty.” If you knowingly disclosed consumer personal data, the penalty is $7,500 for each intentional violation. If you unknowingly violate the CCPA (which shouldn’t happen if you are reading this post!), the penalty is $2,500 for each violation.
In addition to that, consumers can individually bring a civil action against your company for up to $750 per incident, or the cost of the actual damages, whichever is greater. This civil action will question whether your business has implemented “reasonable security procedures and practices,” so if you can’t prove you had privacy protection measures in place, watch out.
What should I do if there’s a breach?
If there is an attack on your business’ data systems and an information breach, you must act quickly to protect your consumers’ personal information, as well as to notify them of the breach. If you fail to do this within 30 days, you will be subject to maximum penalties. However, if you can prove that your violations have been amended and that no more will occur, you will be spared additional fines.
When will I have to enforce CCPA compliance?
If you feel like there’s a great deal you need to do to achieve compliance, you still have some time to do it. Even though the legislation goes into effect January 1st, 2020, there is a grace period that lasts until “6 months after the publication of such regulations,” or July 1st, 2020.
There. I’m done. Now I don’t have to hear about CCPA ever again, right?
Not quite. This legislation is following the trend of the EU’s GDPR (General Data Protection Regulation), which is actively creating and expanding the definitions of consumer rights. Right now, though, there is still turmoil as the CCPA tries to bring some cohesion to what is a dynamic policy area. There will be great changes in the legislation until homeostasis is reached. Businesses can expect similar laws to be passed across the country in the next few years, so if you don’t have to deal with consumer privacy rights now, don’t worry. You will.
Why is this important?
The CCPA legislation will impact your business, whether you realize it now or not. With many business’ marketing strategies relying heavily on using and predicting consumer identities, removing personal information about your customers introduces holes into the picture. This law will greatly affect the accuracy and efficacy of established marketing approaches like attribution.
The increased connection of the Internet of Things begins to reveal the many vulnerabilities that are emerging in sharing, storing, and protecting consumer personal information. According to Risk Based Security, 2018 was the second-most active year for data breaches, with 6,500 reported breaches that included some 5 billion records. And those numbers can only be expected to increase. The CCPA is an attempt to mitigate some of these breaches.
The CCPA may seem like a headache, but it is a good opportunity for your business to focus its attention on upgrading your security and privacy practices all around.
What’s going to happen next?
You can expect a rocky start to the enactment of the CCPA. First off, despite its being around for over a year, there is a great deal of contention as to the exact scope of the legislation. Two bills are currently under consideration to expand the CCPA, while nine bills are being considered that would narrow its scope. In addition, a federal privacy law is still under consideration in Washington, DC, that would affect the exact provisions of the CCPA.
In addition to this lack of agreement, there is a general lack of knowledge about the CCPA. A recent survey by ESET polled 625 business owners and executives to see how prepared they are for the enforcement of the CCPA on January 1st, 2020. Of these 625 owners, half had never heard of CCPA, 34% were unaware if they needed to change for compliance, and only 12% knew specifically how the law would affect them. Because of this confusion, you can expect to hear about a great deal of litigation in the new year as businesses are faced with the high cost of non-compliance.