In June 2018, the state of California passed an expansive online privacy law called the California Consumer Privacy Act (CCPA). While not as expansive as the European Union’s (EU) sweeping Global Data Privacy Regulations (GDPR), CCPA is a clear harbinger that more stringent U.S. data privacy regulations have arrived and more are likely on the horizon.
American companies that escaped the GDPR compliance behemoth are now on notice: CCPA goes into effect in January 2020.
What the CCPA’s impact will be is a great unknown. However, it’s certain that its impact will be significant and wide-reaching, as California is the largest economy in the U.S., the fifth largest economy in the world, and home to many of the most powerful and influential global tech companies, many of which lobbied hard to prevent the CCPA from becoming law.
The CCPA and GDPR are the latest legal moves in response to widespread outcry over high-profile data breaches and privacy scandals that have shaken public trust to its core.
Gemalto, a digital security company, released its annual Breach Level Index findings in October 2018. The report found that 4.5 billion data records had been compromised globally in only the first half of that year and that 15 billion data records had been exposed since it started monitoring this data in 2013.
One can cite any number of data privacy controversies to understand the call for greater data regulations. Whether it was the Equifax breach, Facebook’s shady dealings with Cambridge Analytica, or the hacking of Paul DePodesta’s emails in 2016, data privacy issues, both ethical and technical, have put consumers and lawmakers are on alert.
Most parties agree that strengthening data privacy and data security is important. How CCPA regulations get enforced and how efforts to comply with CCPA will impact businesses is yet to play out. The public will certainly know more after January 1, 2020, when CCPA goes live and the law and its real-world applications crash together.
For now, however, it’s important for all U.S. businesses to understand the scope of CCPA and whether or not it will impact them.
Below we offer a summary of key aspects of the CCPA. A caveat, however: It’s incumbent on all U.S. companies to delve into the nuances of the law to ensure compliance. The full CCPA legal language can be found here.
What is the California Consumer Privacy Act of 2018?
The CCPA is a consumer data privacy law passed in 2018 that will go into effect on January 1, 2020. There is a six-month enforcement grace period for companies that ends July 1, 2020.
Put simply, the CCPA is a data privacy protection law that aims to empower consumers with greater control over how a business can store and use their personal information. In some ways, the CCPA is a data privacy Bill of Rights for consumers, providing them with more power to tell businesses what they can and cannot do with their personal data.
What Businesses Will Be Impacted by the CCPA?
As mentioned, the CCPA is a consumer-focused law. However, it also impacts businesses for obvious reasons. Like the GDPR, how far the CCPA reaches out across borders can be a bit murky. While the GDPR is an EU law, U.S. businesses that track EU consumer data or sell goods and services to the EU must comply with the law even though they operate in the States. CCPA is similar in that businesses outside California’s borders could fall within the CCPA’s legal purview.
The CCPA defines a “business” as, “A sole proprietorship, partnership, limited liability company, corporation, association, or other legal entity that is organized or operated for the profit or financial benefit of its shareholders or other owners, that collects consumers’ personal information, or on the behalf of which such information is collected and that alone, or jointly with others, determines the purposes and means of the processing of consumers’ personal information, that does business in the State of California.”
A business that satisfies one or more of the following thresholds must comply with the CCPA:
- A business that has gross revenues in excess of $25 million
- A company that does business in California
- A business that collects personal information and determines “the purposes and means” of processing consumer personal information
- A business where “Alone or in combination, annually buys, receives for the business' commercial purposes, sells, or shares for commercial purposes, alone or in combination, the personal information of 50,000 or more consumers, households, or devices.”
- A business that “...derives 50 percent or more of its annual revenues from selling consumers’ personal information.”
The definition of “personal information” is complex and could be a bit difficult for businesses to wrap their arms around. The CCPA defines “personal information” as, “...information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”
Businesses are exempt from CCPA compliance “...if every aspect of … commercial conduct takes place wholly outside of California.” It is critical to note that businesses who don’t collect personal information directly could still be impacted by the law if they are involved with third-party entities that collect data. In some cases, the relationship between a single business and personal data collection can be very tricky and every business needs to be aware of tangential, third-party data collection contingencies in the CCPA.
What Are California Consumer’s Data Privacy Rights?
The CCPA broadly defines a “consumer” as a California resident. The CCPA grants a consumer the following data privacy rights:
- Right to Notice. Businesses must inform/notify consumers “at or before the point of collection” about what information is being collected and how it will be used. In addition, businesses will need to make specific disclosures in their privacy policies.
- Right to Access. Consumers also have the right to request information about personal information categories, sources and commercial purposes, as well as third-party data collection relationships.
- Right to Opt Out. Consumers can direct businesses to stop the sale of their personal information.
- Right to Request Deletion. Consumers can request deletion of personal information from a business database if this data was collected from the consumer.
- Right to Equal Services and Prices. This provision is complex, but it basically protects consumers that exercise any of these rights from a backlash, i.e. price hikes or the denial of goods and/or services.
Once again, this law is complex and nuanced, at best, and ambiguous and too broad, at worst. Businesses must do their due diligence to understand the CCPA and how it might impact their operations.
What is GDPR?
The EU is widely viewed as the global leader in implementing stronger data privacy regulations. The U.S. has largely lagged behind the EU in this area with the implementation of GDPR acting as a framework and spark for the CCPA.
GDPR enforcement has been in effect since May 25, 2018. GDPR is a group of laws designed to standardize data privacy across Europe, including data that flows across national boundaries. GDPR has 99 articles and is the most comprehensive data privacy law worldwide (to read the full 99 GDPR articles click here).
The most notable enforcement measures to date have been taken against Google, British Airways, and Marriott. In early 2019, France’s data watchdog fined Google $57 million USD for breaching the GDPR. On back-to-back days in early July 2019, British Airways and Marriott were fined $230 million and $124 million, respectively.
What Should U.S. Companies Do About the CCPA?
Businesses subject to the CCPA have less than one year from the time of this post before enforcement begins in July 2020. Bring your leadership team together and consult your legal team or lawyer to understand if and how your business must comply with the CCPA. Failure to do so could result in devastating fines and mortal damage to your brand if consumers perceive that data privacy is not a priority for your organization.
Compliance is never exciting. However, it might help kick start your company’s CCPA efforts if it looks at CCPA compliance through a different lens: Strong CCPA compliance is a potential brand differentiator against competitors that are lagging behind. While a business certainly wants to avoid fines and bad PR for CCPA violations, building a strong compliance can also create a stronger brand and revenue, particularly given that most U.S. businesses are behind the proverbial “eight ball” when it comes to CCPA.
In a recent Forbes post by Forbes Council Member Kayvan Alikhani, the author notes the following important data: A recent survey by Dimensional Research (via Help Net Security) of 250 executives and managers at U.S. businesses likely to be affected by the CCPA found that nearly half (44 percent) haven’t taken any steps towards compliance. In fact, only 14 percent of respondents are confident they will be ready by the time the CCPA takes effect.”
Don’t get overwhelmed by the CCPA’s complexity. The most important step you can take is a simple one: Take action now.