The California Consumer Privacy Act (CCPA): Get Your Data House in Order
What did U.S. companies learn from their General Data Protection Regulation (GDPR)-readiness exercise last year?
That GDPR took longer than expected.
Hopefully, they learned key lessons. They can leverage these as they face the challenges of the fast-approaching and complex California Consumer Privacy Act (CCPA). This law is slated to take effect January 1, 2020.
That’s right. Their work is not done.
Although they have a greater advantage, they cannot assume their systems will support CCPA or any other forthcoming privacy regulations. Why? Because more than likely they focused on implementing the GDPR-type standards to European data and not to the U.S. data.
The question on everyone’s mind is how the two privacy laws differ.
Yes, the CCPA mirrors the EU privacy law. It does this in that it allows people to ask companies what personal information is collected about them and why. Consumers can also request their data be deleted. But the differences are complex. And the requirements are somewhat nuanced.
Regarding the collection and sale of personal information, GDPR only allows companies to ask consumers to “opt-in” while California’s law enables consumers to opt-out. Arguably,
It’s the most important right the California Consumer Privacy Act provides to California residents.
“Sale” is defined as “selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information to another business or a third party for monetary or other valuable consideration.”
That’s why the California Consumer Privacy Act requires a business that “sells” “personal information” to “third parties” to provide a clear and conspicuous link on the business’s internet homepage, titled “Do Not Sell My Personal Information.” It also requires you to include a phone number in your privacy notice. This might change to be a phone number OR email address. An amendment is waiting in the wings.
California is the fifth-largest in the global economy. So the CCPA’s impact is expected to be global. Understand the timeline and key deadlines of the California Consumer Privacy Act. It will help you differentiate the law from the GDPR, which did not involve amendments.
- May 31, 2019: The last day for amendments that were introduced in the Assembly (lower house of the CA Legislature) to move out of their house of origin to the Senate for committee process. A bevy of amendments to the CCPA have wound their way through the CA Legislature. This cleared up some of the law’s murky compliance requirements. What constitutes “personal information” was a part of this. Only twelve bills survived passage through the lower house.
- September 13, 2019: The final day for the state Senate (the upper house) to vote amendments into the law. Industry lobbyists would like to keep pushing for more changes right up until the law goes into effect. However, that’s not to be.
- October 13, 2019: The final day for the governor to sign or veto any bill that survives the Senate.
- January 1, 2020: The CCPA is slated to take effect. The individual rights requests will start coming in around this time.
- On or before July 1, 2020: Enforcement will only begin six months after the adoption of the AG’s regulations – or July 1, 2020 – whichever is sooner. But don’t breathe a sigh of relief that you’ll be getting a grace period. The state can bring enforcement actions from instances of noncompliance during those first six months.
Robust aptly describes the GDPR compliance process. “Murky”, “complex” and “flawed” are words used to describe the California privacy law. Thus the reason for the flurry of amendments submitted to give businesses more clarity before the law takes its final form.
Back-up to the beginning for perspective.
In early 2018, millionaire real estate developer Alastair MacTaggart spearheaded California’s new consumer privacy law. His original intention? Gather enough signatures to qualify a privacy initiative for the ballot in November 2018.
Spending about $3 million of his own money, MacTaggart created a more than 33-page long initiative. Had voters approved it in November, the Legislature wouldn't have been able to amend it in the future. This would have caused problems for stakeholders. Almost every industry recognized that the initiative had significant issues.
So the California Consumer Privacy Act (Assembly Bill 375) is considered a compromise. This truce is between consumer privacy advocates, legislators and businesses that may have been put together too hastily. And it resulted in glaring errors.
Words matter in the CCPA.
We've already pointed out the importance of understanding the definition of “sale” in the CCPA. There are other words worth defining.
The GDPR’s scope is broad. But the CCPA has applied its rules to a for-profit “business” that does business in California. It also conforms with one or more of the following:
- Generates an annual gross revenue in excess of $25 million
- Derives at least 50% of its annual revenue from selling California consumers’ personal information
- Buys, sells, shares and/or receives the personal information of at least 50,000 California consumers, households or devices
- Controls or is controlled by an entity meeting the above criteria and shares common branding with
The definition of personal information is broad in the CCPA. It’s defined as any information about a particular Californian consumer, household or device. The non-exhaustive list of examples includes:
- account names
- social security numbers
- medical information
- passport details
- IP addresses
- phone numbers
The California statute says a consumer is a resident of California, period. You don’t need to enter into a transaction with a person for him or her to qualify as a consumer.
Understand that non-compliance can be extremely costly to your company.
For data breaches, consumers may be able to sue for up to $750 for each violation. Residents can also choose to bring class action lawsuits. You can seek statutory damages of up to $750 per consumer per incident.
Doesn’t sound like much, right? That's until you consider most privacy breaches involve hundreds of thousands of records.
Even if you don’t have a data breach on your hands, you're not off the hook. The CCPA can slap a $2,500-$7,500 fine on you simply for non-compliance.
For intentional violations of privacy, the state attorney general can sue at up to $7,500 each. The law requires consumers provide written notice to a business within 30 days of a violation. They can then take legal action.
Companies have 30 days to “cure” (fix) the issue. The law doesn’t define what a “cure” would entail. And 84% of businesses say they're anxious as they await the clarification of the term “cure” as it relates to violations.
You also have to consider the potential damage to your company’s reputation. Plus the subsequent loss of revenue you stand to suffer due to decreased consumer confidence caused by lawsuits.
Customers expect you to comply. If you’re not compliant, it could cost you the trust of your existing and potential customers. And the loss of trust means the very real loss of dollars on your bottom line.
A CCPA readiness plan at your company should be underway.
Most companies surveyed said that it took seven months or longer to wrangle their data into GDPR compliance. A key issue was the lack of preparedness.
For U.S. businesses specifically, lack of experience was key. You see, European companies, unlike their counterparts in the U.S., have been dealing with complex and multi-jurisdictional privacy issues for 20-plus years.
And don’t be tempted to take the “wait and see” approach until the statutory language seems more settled in September, giving business an advantage. It won’t. If anything, it’ll expand the private right of action for consumers.
Take this big step now.
Create a data inventory by surveying all aspects of your business, from Marketing to IT to Vendor Management and all points where you receive information from any source and in any format.
There are lots of companies that collect and rely on selling data, and they simply don’t have any record of where all that data is that’s being sold. In other words, find all the places where data could be hiding.
Companies compliant and non-compliant with GDPR may need to add a column flagging whether a data-use case involves data “selling” – a tracking of the categories of personal data transferred to third parties – and a column indicating whether the data was only collected more than 12 months ago and therefore potentially exempt.
That’s for starters.
Conclusion: These types of privacy law requirements aren’t going away.
Let's say you don’t fall under the GDPR or CCPA today. It’s still only a matter of time before you’ll have to transform your organization’s practices to comply with state, federal or international law.
More and more states are gearing up for similar regulations coming down the pipeline. This includes Hawaii, Maryland, Massachusetts, Mississippi, New Mexico, New York, North Dakota and Rhode Island. So are countries like Brazil (effective August 2020) and China.
Our advice: Don't reinvent the wheel every time there's a new regulation. Don't rely on piecemeal technology solutions. Instead, work closely with a technology services partner who understands the details of each regulation.
Remember, the cost of penalties for non-compliance will likely be much higher than the cost of ensuring compliance for each customer in the long run.
Schedule a short consultation with our team of experts today.
We’ll review your business and marketing materials to ensure they’re CCPA compliant and on time.