On January 1, 2020, Californians, through the California Consumer Privacy Act (CCPA), will gain unprecedented control over their personal data and rights to privacy, as well as the legal recourse to take action against companies who fail to protect those rights.
According to the regulation, Californians will finally be able to put their collective foot down and get specific answers about how their data is used, or, if they choose, delete their personal information. Companies holding and using their data will have no choice but to comply. These new protections however, have implications that go far beyond businesses inside the Golden State. Companies operating in countries far away from California may be impacted. To understand why it is so important for businesses and consumers to become knowledgeable on CCPA, one need look no further than the European Union’s General Data Protection Regulation, more commonly known as “GDPR”.
GDPR was born out of the European Union’s desire to crack down on: businesses storing, selling and using consumer data without being transparent enough (or at all) about how they were using consumer data; businesses which suffered massive cyber breaches and theft of consumer data; or, businesses which had inadequate processes and protections in place to prevent such breaches. Since GDPR’s adoption for all EU member states in April 2016 and subsequent enforcement in May of 2018, global businesses have felt the sting of implementation, and some have already been the subject of stiff fines for breach of compliance – most notably Google and Marriot, both US headquartered companies. No matter where you do business, if you store, sell or disseminate data on EU citizens, it’s a whole new world of data management. Under GDPR, (among other restrictions outlined in its 99 articles) companies are required to be transparent with consumers about how their data is used. Companies must allow a reasonable and accessible mechanism for consumers to consent to usage of their data and must allow consumers the “right to be forgotten” which means consumers can, in certain circumstances, request erasure of their personal data from business records.
Now, CCPA, dubbed the ‘cousin’ of GDPR, embarks on a similar mission to protect Californians.
According to the Office of the Attorney General of California, for-profit businesses with consumers in California must comply with CCPA if one or more of the following is true:
- gross annual revenues are in excess of $25 million;
- the business receives, or sells the personal information of 50,000 or more consumers, households, or devices per year;
- 50 percent or more of annual revenues of the company are derived from selling consumers’ personal information.
In order to comply, businesses are directed to not only provide detailed descriptions of how and for what purposes data is collected, used and sold via a clearly written privacy policy, but businesses must now also create specific procedures to: allow consumers to opt-out of third-party data sales; manage requests from California residents to review their data, including the provision of the information free of charge within a limited time period; delete consumer data if requested, and retain and maintain records resulting from those requests for audit and compliance purposes. In short, CCPA will force every company subject to the above parameters to completely rethink its data management practices. (A detailed fact sheet can be found at the Office of the Attorney General of the State of California Department of Justice website here.)
The impact doesn’t end with mere procedural implementation requirements. Starting in July 2020, breach of compliance carries significant civil penalties. Under CCPA, fines will cap at $7,500 per violation if intentional and $2,500 if unintentional. While legal experts are still reviewing the application of the fines, it appears that these fines may apply per user record, which means an unintentional breach of compliance of 100,000 individual user records – well within the realm of possibilities - could result in a whopping $250M penalty!
Though some companies may think they are in the clear because they don’t do business in California or have California customers, it’s no time to celebrate. Privacy advocates across the US are already evaluating this landmark regulation as a blueprint for the rest of the country, potentially setting the stage for comprehensive, federally mandated consumer protection laws a la the European Union. The next six months will be critical as businesses assess the burden of and ability to efficiently respond to requests from California consumers who will likely exercise their rights to do so. In parallel, consumers across the country in other states may use CCPA as leverage to put public pressure on law makers to equip them with the same rights as their brothers and sisters in California.
However, in terms of real impact, skeptics are already pointing out that the burden of exercising those rights lies with the consumer, who, on average, may neither fully understand their new rights, nor take the time to truly investigate and take action regarding the use of their data. The process for outreach to businesses is highly manual, and, at the moment, presumably equally so for companies just spinning up response teams in anticipation of January 1. It is our experience, in situations like this with emerging operational and technical requirements stemming from new territory in legislation, enterprising individuals and entrepreneurs who champion the cause (in this case, privacy) will quickly build solutions to better enable the process. For CCPA, we are potentially talking about solutions that equip consumers with more automated tools to support the data request process (especially if we see more states falling in line behind California) – in the same way that startups around the globe have sprouted up, offering businesses solutions to manage GDPR compliance. If this happens, as more and more consumers are empowered, it will be interesting to see the tug of war between the two unfold, as well as a potential and unanticipated market of new services and solutions.
There is no question that, despite the kinks that are still being addressed, this train has left the station, and corporations are bracing for a new era in privacy legislation. Well-positioned businesses have already structured their response to CCPA through a comprehensive program of communications, data management and operational effectiveness, integrated into corporate governance and oversight of risk management. Those behind the curve should be asking themselves, have we sufficiently updated our privacy policies on our website(s)? Have we specifically addressed CCPA and do consumers have a clear path to communicate with us? Have we adequately analyzed our data processes and data management practices to be compliant? Are we on top of the data in question? Have we built and trained the necessary internal teams on procedures to manage requests from consumers? Can we meet the mandated timelines to respond to requests? Can our processes scale if need be? Have we looked at and addressed the various scenarios that may make us non-compliant? Are we ready?
If businesses haven’t already gotten themselves organized around the policy and procedural requirements under CCPA, the time to do so is right now. Everyone else not already in the cross-hairs may want to take a page from the CCPA playbook and get ahead of this game by reviewing their current privacy and data management procedures, with one eye fixed on lawmakers developing privacy legislation in their own state.