The California Consumer Privacy Act finally went into effect on January 1, 2020. After more than a year of anticipation, its arrival brings the most significant and stringent regime overseeing private data collection ever enacted in the United States.
Its effects will be felt throughout the global economy. Though the law technically applies only to California residents, it affects a vast number of companies around the world. Most major companies that deal in consumer data, from retailers to cellular network providers to internet companies, have some Californian customers. Thus the law has the potential to threaten established business models throughout the digital sector.
Companies still have some time to get their ducks in a row—but not much. The attorney general’s office can begin enforcement six months after the final regulations are in place, or by July 1, 2020, at the latest.
Is your company prepared? If yours is like most companies, the answer is no. Read on to find out how to catch up and avoid the potential fines.
CCPA: A Refresher
The California Consumer Privacy Act (CCPA) is a digital privacy law designed to help consumers better understand and control how their personal information is collected and used online. Much like the EU’s General Data Protection Regulation, or GDPR, the CCPA aims to enhance privacy rights and consumer data protection (read more about how the CCPA compares with GDPR).
It was enacted by California bill AB 375, which was signed into law by Governor Jerry Brown in June 2018. More than 629,000 California voters petitioned to get the law on the ballot, while many tech industry leaders—including Comcast, AT&T, Google, and Verizon–opposed it.
The CCPA grants consumers four basic rights:
The right to know what personal information a business has collected about them, where it was sourced from, what it is being used for, whether it is being disclosed or sold, and to whom it is being disclosed or sold
The right to “opt out” of allowing a business to sell their personal information to third parties
The right to deletion of their personal information
The right to receive equal service and pricing from a business, even if they exercise their privacy rights under the Act
Practically speaking, the overwhelming majority of US companies with an online presence will need to comply. The CCPA applies to any company or nonprofit that does business with California residents and falls into at least one of the following groups:
Businesses that have annual gross revenues that exceed $25 million
Businesses that acquire personal information from more than 50,000 consumers each year
Businesses that earn more than half of annual revenues through selling the personal information of consumers
In other words, if any of the above apply to your company and a California resident has ever so much as browsed your website, you must comply with the law.
What does your company need to do today?
Broadly speaking, companies have two options: reform their global data protection and data rights infrastructures to comply with the law, or institute a patchwork data collection system in which Californians are treated one way and everyone else another way. The latter will be impractical for most companies, especially on a tight timeline.
Companies that generate revenue from targeted advertising over internet platforms—such as Facebook, Twitter, and Google—must allow California residents to delete their data or bring it with them to alternative service providers.
Below are some additional steps companies should take today.
First, find out whether you are selling personal information (as defined by the CCPA), and determine if you can change your business model to avoid the exchange of information.
Update your privacy policies with the description of Californian's new rights, and make sure users know about the rules and their rights.
Create detailed inventories of personal information pertaining to California residents that are ready to be accessed by users.
Ensure users have the means to request access to their personal information in at least two ways. This includes a toll-free telephone number and a "Do Not Sell My Personal Information" link on the company website.
Grant access to personal data within 45 days of a request—as well as the ability to delete. There are exceptions, such as if the information is needed to detect illegal activities or if deleting the data impedes free speech.
Lastly, put stronger security programs in place to prevent data breaches.
What are the penalties for noncompliance?
Penalties will be handed down in two ways. The civil penalty for intentional violations of the Act is up to $7,500 per violation, to be enforced by the California Attorney General and subject to a thirty-day cure period.
The law also makes it easier for consumers to sue companies after a data breach, either individually or as part of a class action. Statutory damages can be between $100 and $750 per California resident per incident, or actual damages, whichever is greater.
Multiply these figures across millions upon millions of consumers, and the damages add up quickly.
Not sure where to start?
Companies not already compliant with the law will want to get their affairs in order, ASAP. LogicGate can help.
The law includes a 12-month “lookback” period for all information that needs to be provided to customers, which means organizations really need to know what is happening with personal data dating back to January 2019. At a minimum, organizations should have a solid grip on what data they are collecting, how it is being used, and with whom it is being shared.
Becoming compliant with CCPA begins by taking a holistic look at your risk and compliance program, and addressing those areas where you may fall short. LogicGate’s Third Party Risk Management solution can help you get a handle on what personal data is being shared with or handled by outside companies and what measures they are taking to protect it, while Policy Management can help with formal documentation and communication of data management and security practices within your own organization. Finally, the LogicGate Compliance Management solution can assist with performing readiness assessments as you prepare for the new regulation.