A landmark privacy rights bill took effect on January 1, 2020 in California and will have broad implications for U.S. consumers and businesses. The California Consumer Privacy Act (CCPA) mandates strict requirements for companies to notify users about how their data will be used and monetized along with giving them straightforward tools for opting out.
Although customers gained additional rights on the 1st of January to stop businesses from sharing their personal information, the state is not expected to begin full-scale enforcement until July. The California Attorney General, Xavier Becerra, said the law won’t begin to be enforced until July 1, 2020. In the meantime, the Attorney General’s office will finish drafting regulations to implement the law.
CCPA is recognized as one of the most impactful pieces of legislation ever enacted in the areas of data privacy. There have been several amendments and updates and, although currently in effect, sections of the CCPA still require points of clarification which may be publicized prior to the enforcement period.
The Act came as a response to growing customer privacy concerns amid increasingly frequent incidents, such as the Cambridge Analytica scandal or the one involving DNA-based genealogy firm 23andMe, where a pharmaceutical company received access to anonymized data from millions of customers. According to Forrester Consumer Technographics, 73% of the surveyed individuals are concerned that their data could be permanently recorded and accessible to anyone without their knowledge, while 68% worry that their mobile behavior could be tracked. As a result, they are taking measures to protect their personal data, such as using an ad blocker to limit data collection on apps and websites and using tools that preserve privacy online.
Without further ado, here’s what you need to know about CCPA.
What is the CCPA?
The California Consumer Privacy Act of 2019 allows any Californian consumer to demand to see all the information a company has saved on them, as well as a full list of all the third parties that data is shared with. In addition, the law allows consumers to sue companies if the privacy guidelines are violated, even if there is no breach.
What is the applicability of the CCPA?
All companies that serve California residents and adhere to one of the following criteria – maintain at least $25 million in annual revenue, make half their money from the sale of user data, or gather information on at least 50,000 consumers – must comply with the law. An amendment made in April exempts “insurance institutions, agents, and support organizations” as they are already subject to similar regulations under California’s Insurance Information and Privacy Protection Act (IIPPA). The law has extraterritorial applicability as well. Companies don’t have to be based in California or even have a physical presence there in order for CCPA to be applicable. They don’t even have to be based in the United States.
What data does the CCPA cover?
The California law takes a broader approach than GDPR when it comes to sensitive data. According to CCPA, “personal information” includes data that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked directly or indirectly with a consumer or household. As such, personal information includes:
-
- Identifiers such as a real name, alias, postal address, unique personal identifier, online identifier, IP address, email address, account name, social security number, driver’s license number, passport number, or other similar identifiers
- Characteristics of protected classifications under California or federal law
- Commercial information including records of personal property, products or services purchased, obtained or considered, or other purchasing or consuming histories or tendencies
- Biometric information
- Internet or other electronic network activity information, including, but not limited to, browsing history, search history, and information regarding a consumer’s interaction with a website, application or advertisement
- Geolocation data
- Audio, electronic, visual, thermal, olfactory, or similar information
- Professional or employment-related information
- Education information, defined as information that is not publicly available personally identifiable information (PII) as defined in the Family Educational Rights and Privacy Act
- Inferences drawn from any of the information to create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities and aptitudes
There are, though, certain exemptions. Publicly available information, defined as data available and maintained from government records, are exempt from the law and are not classified as PII. In addition, employee data, such as personal information collected from job applicants, owners, directors, officers, medical staff, and contractors, are not covered by the regulation until January 1, 2021.
What are the key requirements for affected companies?
The CCPA requires that companies disclose to California consumers the information they collect and why they collect it. Companies must allow consumers the option to not to have their data shared with third parties. That means that companies will now have to be able to separate the data they collect according to the users’ privacy choices.
Businesses must also honor consumer requests to have their data corrected or deleted. The consumers have the right to know what categories of personal information a business has sold to or shared with third parties, including those disclosed for business purposes. If the customers don’t agree, they have the right to opt-out of the sale of their personal information without retribution.
In this instance, the terms “sale” or “selling”, refers to “selling, renting, releasing, disclosing, disseminating, making available, transferring or communicating orally, in writing, or by electronic or other means, a consumer’s personal information to another business or a third party for monetary or other valuable consideration.” If the customer opts out of selling, the company cannot ask them to opt back in for 12 months.
Additionally, the law bans companies from offering a higher tier of service for one user who agrees to divulge more personal information versus a consumer who only agrees to share limited data. While a company cannot refuse users equal service, businesses have the right to offer financial incentives for the collection or sale of personal information. They can offer, for example, a different price or level of goods or services to consumers that opt-in, if that “price or difference is directly related to the value of the consumer’s data to the business.”
Finally, if a company decides to use personal information in a manner that was not initially disclosed to the consumer, that company must “obtain explicit consent” before doing so.
What happens if a company fails to comply with the CCPA?
Companies that violate the CCPA and fail to remedy violations within 30 days of being notified face fines up to $2,500 for each violation or $7,500 for each intentional violation. If we consider how many records are affected in a single breach, fines can increase very quickly.
In addition to fines, there is also another potential financial risk. The Act provides for an individual’s right to sue, and it allows class action lawsuits for damages. For example, the law specifies that companies must have a clearly visible footer on websites offering consumers the option to opt out of data sharing. If that footer is missing, consumers can file litigation. The consumer may also sue if they are unable to determine how their information was collected or obtain copies of that information.
If we add up the number of potential impacts, such as IT response, forensics and recovery, legal, notification, and so on, a breach of the CCPA may threaten the very existence of a small business. The good news is that if a company took the steps needed to comply with GDPR, then it’s most of the way there for the California Consumer Privacy Act.
Concluding Thoughts
The CCPA also has the backing of Microsoft and other industry leaders. Microsoft announced last month that it plans to implement the provisions of the CCPA not just in California, but for all its customers, too. At the same time, the law has ignited the debate for the need of a federal privacy law. Critics argue a federal privacy law that provides consistent guidelines would be preferred, rather than individual state laws, and the need for a uniform federal law grows, “more urgent by the day. The longer American legislators fail to act, the greater the harms become,” argues Justin Sherman.
As always, the devil lies in the details and in the law enforcement. Ambler T. Jackson, Attorney and Data Privacy and Protection expert, says that “The date of enforcement should really have no bearing on an in-scope business’ efforts to implement CCPA data access, opt-in and opt-out requirements. If you are the responsible individual for privacy and your company falls within scope for CCPA, you should have already updated the privacy policy and privacy notices to reflect the change in law. To further meet CCPA key requirements, take every measure to create a solid plan to accept and respond to all consumer requests to know and delete their personal information as well as opt-out of the sale of their information
As the days pass and the beginning of the enforcement of CCPA nears, consistently work to fine-tune your compliance efforts and document every step and every decision. Consider remaining flexible in your approach to comply with the intricacies of the law as additional CCPA updates are anticipated prior to the start of the enforcement period. Stay ahead of the compliance game by making weekly briefings, status updates and meetings involving legal, compliance, security and IT mandatory at least until 1 July.”
ITEGRITI has the tools and the experience to help you meet regulatory obligations with proven methodologies. Learn how at itegriti.com.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of ITEGRITI, Inc.