What is the California Consumer Privacy Act and How Should You Respond?
In the spring of 2018, organizations around the world scrambled to ensure they were prepared for GDPR – the sweeping privacy and data protection legislation that went into effect in the EU. It was unclear who was affected or to what degree, but if you did business in Europe, you took it seriously.
Fast forward 20 months and California has passed similar legislation designed to protect the privacy of its citizens. The California Consumer Privacy Act (CCPA) went into effect on January 1, 2020, and represents the strictest law to date for the collection and sharing of personal data by businesses.
This isn’t a first. California has long been at the vanguard of consumer protections. It was among the first (and still relatively few) states to add privacy to its constitution in 1972, and it has lead the way on dozens of consumer laws that later passed in other states. Because of California’s size (40 million residents making up 12% of the US population), new regulations there often have a trickle-down effect on companies and consumers throughout the country.
Whether you do business directly in California or not, it’s important to know what this law entails, how it impacts out of state operators, and what it could mean for the future of privacy laws in the US.
The Origins of CCPA
The CCPA was passed shortly after GDPR went into effect, in June of 2018. Citizens had proposed legislation and collected 629,000 signatures to consider a privacy act, and state legislators wanted to pass something before that could happen. The result was what many considered a rushed, not fully thought out bill that was drafted, passed and signed in just a few weeks.
Building on many of the principles of GDPR and similar legislation under consideration in other states, the CCPA is fundamentally about protecting access to personal information. Specifically, the law ensures California residents can:
- Know what information has been collected
- Access that information easily
- See who has access to the information and if/when it has been sold
- Request deletion of that data and receive confirmation it has been done
In short, if someone doesn’t want their data to be collected and sold to other entities, the CCPA provides protections and requires companies to provide the means by which to ensure this doesn’t happen. For companies that monetize data collection, there are protections included that don’t allow them to charge extra to those who do not want their data sold. Furthermore, data from minors under 16 cannot be utilized unless preemptively authorized.
Does Any of this Affect You?
That’s the big question.
If you collect information or process information from California, then you may be affected by the law. Small businesses are largely exempted, however. Businesses that gross $25 million or more or who process the information of 50,000 consumers, households or devices each year, or who make more than half of their revenue from selling personal information are required to comply.
Of course, this doesn’t specify what it means to “sell personal information”. Part of the law being rushed through approval so quickly is that many of these terms were not fully defined. Data gathered from exchanges that is used for processing payroll, healthcare information, or other common processes may fall under this umbrella and employees could choose to opt-out of that information being shared.
In terms of the data that falls under the protection of CCPA, essentially anything that can be associated with a specific consumer is included. Beyond the basic information all consumers want to protect (birth date, social security number, and address), other examples include location information, in-app behaviors, buying patterns, employment history and more. In this way, it goes beyond even the GDPR, including data that can identify the household, if not the specific individual.
Being CCPA Compliant
If your business is required to comply with CCPA, you’ll need to do the following:
- Provide multiple ways for users to request access to data – including a phone number.
- Implement a process to grant access to data within 45 days of a request, including deletion.
- Setup a warning system for when data will be sold and a means by which to opt-out.
For companies impacted by the new law, this has meant a sprint to compliance. With only 18 months to set up the necessary tools for users and update their privacy policies and data management policies, many companies are still scrambling with only days left before the deadline.
The cost of non-compliance is high with fines as much as $7,500 per violation and $750 per consumer if there are data breaches.
What Happens Next?
Right now, businesses that don’t collect California user information, or that don’t do substantial business in California won’t need to make many if any changes. That could change though. As noted above, California is often the first State to implement changes that others later consider. There are several states already with some form of data privacy breach and protection law, though none as strict as CCPA.
Other states are working on laws as well, including Nevada, which last year passed a law requiring similar opt-outs to selling personal information. Washington State and Texas attempted to pass similar laws and failed (though Washington is set to try again in 2020), while New York is currently working on a law similar to CCPA.
Under all of this is an ongoing call for federal privacy regulations that would help unify the divergent state initiatives and simplify compliance for businesses. Several bills have been introduced to Congress in the last few years covering basic privacy rights, social media data usage, and more. None have gained traction yet, but as more states implement and discuss their own laws, the calls will grow stronger for a national law that takes into consideration the realities of individual industries and use cases.