There is a piece of landmark privacy legislation going into effect on January 1, 2020 called the California Consumer Privacy Act of 2018 (CCPA). If you own or manage a business, you will need to understand how this law will affect your operations. Whether or not you are in business, it will also affect your personal privacy rights.
What is the purpose of CCPA?
American companies have, up until this point, been able to commodify the data of their users with little or no safeguards designed to protect consumers. The sheer quantity of major data breaches recently such as Equifax, Facebook’s Cambridge Analytica scandal, and DoorDash have emphasized the need to focus on consumer protection.
Who is this impacting?
The law was written to protect California consumers but it will impact all Americans. When this goes into effect, it ensures:
(1) The right of Californians to know what personal information is being collected about them.
(2) The right of Californians to know whether their personal information is sold or disclosed and to whom.
(3) The right of Californians to say no to the sale of personal information.
(4) The right of Californians to access their personal information.
(5) The right of Californians to equal service and price, even if they exercise their privacy rights.
Even though the legislation is written for consumers in California, it does cover out-of-state merchants that sell to those in the state. This makes it a law with national implications. The language is broad enough that it also covers employees and job applicants, which are not ordinarily considered to be consumers.
By using a website or phone number, anyone will be able to ask companies to disclose the data being collected on them. We will start to see buttons that have the option “Do Not Sell My Personal Information.” This won’t change the quality or availability of your service. The bill specifically states that services may not be refused, quality reduced, or prices increased due to privacy requests or deletions.
Previously there was nothing proactive a person could do to protect themselves. It wasn’t until a hack happened or unethical choices were made that a regulator was able to step in. CCPA changes the timeline in the favor of the customer.
Which companies need to be compliant?
If your company sells data as a core part of its business, then this applies to you. It’s really three types of companies that need to pay attention: those that make more than $25 million in gross revenue, have data on 50,000 customers or more, and if more than 50% of your revenue comes from selling customer data.
This bill was written with the big companies in mind: Facebook, Amazon, Google, and others of that size and dealings. It’s very likely that these factors don’t match your business. But don’t rest on your laurels too hard.
It makes the most sense for organizations to update their privacy practices to the highest standard in the land. In the States the highest standard is now held by California due to CCPA but in the EU, the GDPR is the standard. I recommend shooting for the most stringent requirements so that should your local laws get tougher, you are likely to already be in compliance.
What happens when there is lack of compliance?
The penalties are up to $7,500 for intentional violations but will rely on the California Attorney General to enforce. Individual consumers will be able to sue for $100 to $750 if a company is proved to be careless in its data practices and gets hacked. One big problem is that the California Attorney General doesn’t currently have the resources to be very effective when it comes to enforcement.
There is a “cure provision” built in to let a company off the hook if they take steps to fix the data violation. Some anticipate that lawyers will be reticent to take on CCPA cases due to the cure provision offering companies a way out.
Current Exceptions to the Rule
There has been a lot of last minute wrangling and passing of alterations of the bill including AB25 (excluding employees), AB 846 (about customer loyalty programs), and AB 873 & AB 874 (redefining personal information), AB 981 (exempting insurance institutions), AB 1281 (disclosure of facial recognition on premises), and a few others.
My favorite part is AB 1202 requiring data brokers to register (see my blog about data brokers selling your information) with the State Attorney General (AG) as the AG creates a pubic registry of brokers and will grant enforcement authority of violations to the AG.
Scroll up and reread the three elements for businesses that must be compliant. If these apply to you, talk to your lawyer and review your data practices. If the three compliant factors don’t apply to your business, learn more about the GDPR to make sure that you are aligned with the toughest consumer protection legislation around.
Regulation isn’t coming. It’s here. It’s time to get onboard and be responsible with your business practices.