The state of California passed the California Consumer Protection Act (CCPA), a law that will strengthen user privacy and require greater data transparency within the state. Based on regulatory changes in Europe, we had a hunch similar data privacy laws would come to the States…but boy was that was fast! The CCPA looks a lot like the EU’s GDPR, but there are overarching policing differences. The CCPA is planned to go into effect on January 1, 2020, but there are more revisions and clarifications to come.
What is the CCPA?
The California Consumer Protection Act was driven by the increase in consumer data breaches (specifically the Cambridge Analytica scandal), growing privacy concerns and the global trend toward data protection. However, unlike the changes we’re seeing in Europe, the CCPA only focuses exclusively on data collection.
This bill protects consumers by ensuring that California businesses comply within their privacy policies, security protections and facilitation of consumer rights.
California citizens have the rights to:
- Know what personal information is being collected about them, access that information and delete that information. Businesses are required to report any information that has been collected, and users have the right to request that it be deleted, and businesses must comply, with few exceptions.
- Know whether their personal information is sold or disclosed and to whom, and say no to this transaction. Consumers can now opt-out of businesses selling or transferring their information.
- Equal service and price, even if they exercise their privacy rights.
**At this point, the law does not describe what is covered by “personal information.” From what we understand so far, this could include anything from names, addresses, social security numbers, email addresses, geolocation, IP addresses, shopping/browsing history, psychological profiles, behaviors, attitudes, consumption behaviors and consumer preferences. Or….pretty much everything.
Who the CCPA Affects
The CCPA will apply to any business that operates in California, whether or not it is a California company, that fits one of the following descriptions:
- Businesses with annual gross revenues of at least $25 million
- Data brokers and other businesses that buy, sell, or share the personal information of 50,000 or more consumers, households, or devices
- Businesses that get the majority of their annual revenue from selling consumers’ personal information.
If a company fits one of the above descriptions and does not comply with the CCPA…?
- Citizens can bring a civil action against companies with fines $750—or higher, if more damage can be proven.
- The state can bring charges against a company directly, levying a $7,500 fine for each alleged violation that isn’t addressed within 30 days.
Things to Consider
Before making any recommendations, there are several pieces that still need to be defined and clarified by the government. Also, we are not lawyers and anything recommended in this post is a suggestion, not official legal advice.
So, how can you prepare for this new bill?
- Determine what data you have, where, and with whom. Of this data, what is immediately important to legal and business needs?
- Do you have a mechanism to delete a consumer’s information, if requested?
- You may want to consider minimizing your data “touches”, or, removing the data intermediary and collecting data from consumers and prospects directly.
Like GDPR, CCPA will affect businesses outside of the jurisdiction – it’s better to comply with the regulation and show your audience that you care about their protection than to address a portion of your audience differently. (Plus, if this regulation is implemented across the U.S. in the future, you will be ahead of the game!) There are nearly 40 million people living in California – brands in the U.S. and abroad cannot afford to ignore this marketplace!
If you have any questions about this new legislation or about how your business will be affected, please reach out.