California has long been a leader in privacy protections. The state legislature began paving the way with their 2002 data security breach notification law and followed that with the 2004 law addressing privacy policies. Their latest effort is the California Consumer Privacy Act of 2018 (CCPA) that was signed into law on June 28, 2018, and will take effect January 1, 2020.
A sweeping consumer privacy law, the Act establishes additional regulations to be followed when processing personal data of California residents and will have a widespread impact due to the global nature of California’s economy. It provides consumers more insight as to what personal data is being harvested and what is being done with that information.
The CCPA protects California residents not just as consumers but also in regards to their status as employees, patients, students, tenants, etc. It establishes a broad definition of personal information, expanding it to pertain to any information that relates to a consumer, household, or device. This can include IP addresses, geolocation data, Internet browsing and search histories and more. The definition of personal information does not include information that can’t reasonably identify a consumer or device, information that is lawfully made available from government records, or information that is available to the general public.
The law pertains to any company, worldwide, who receives personal data from California residents and reaches or exceeds one of the following thresholds:
· Earns an annual gross revenue in excess of $25 million;
· Collects information from more than 50,000 consumers; or
· Earns 50% or more of their revenue from selling the personal information of California residents.
These guidelines apply not only to individual businesses but also their parent company and any subsidiaries.
The CCPA could impact digital advertising based on behavioral profiles on platforms like Facebook, Twitter, and Google, as well as Internet providers that collect web browsing data to generate marketing profiles. Ad tech firms that store tracking cookies on visitors’ browsers may have to provide consumers the option to ask that any information collected be deleted. Some of these companies have brought up the discussion that much of this information is disassociated from specific individuals. But it will be best to assume there will be no loophole as the company would have to prove that the disassociation could not, somehow, be undone.
Under the new law, businesses have to disclose their practices with consumers’ personal information at the time the information is being collected. Their general privacy policy must communicate what information has been collected, where it was collected from, what it is being used for, with whom they share that information, and whether that sharing is simply disclosure or a sale of information to a third party.
The CCPA requires that companies provide an opt-out for consumers who do not wish to have their personal information sold; a data version of the “Do Not Call” list. This opt-out is to be in the form of a “Do Not Sell” link on the company’s homepage. The Act also gives consumers the right to request that a business delete all personal information being held. There is a portion of the act that requires non-discrimination or equal treatment of consumers who opt-out. The CCPA also gives consumers the right to access their personal information in a useable format that enables the data to be readily transferred to a third party.
Businesses have 45 days to respond to requests and complaints. They may not charge consumers for those requests but are only obligated to respond to two inquiries per year from any one consumer. Companies must provide at least two contact methods with a toll-free number and website address being the general expectation. Businesses may also provide email or location addresses.
During the response time, companies must also notify the Attorney General of the filing. It is the Attorney General’s Office that would impose penalties - $7500 per violation. In case of a data breach, consumers have a right of action and may be awarded damages between $100 and $750 per consumer, per incident.
In comparison to the European Union’s (EU) General Data Protection Regulation (GDPR) that went into full effect in May of 2018, there are noticeable differences. The CCPA prescribes concrete measures that go beyond the GDPR in regards to communication channels and disclosures. It establishes a broader definition of personal information, extending the rights to households and devices. The CCPA does not contain GDPR exceptions to accessing personal data and outlines different exceptions in regards to the deletion of data. It also imposes more stern restrictions regarding the sharing of data for commercial purposes.
On the other hand, the GDPR requires consumers to opt-in to having their data shared versus the CCPA’s opt-out regulations. The GDPR does not require minimum thresholds be met before taking effect, it impacts all organizations who collect information from EU citizens. It also establishes a shorter window in which companies must respond to consumers – 30 days instead of CCPA’s 45 days. The GDPR provides consumers the right to correct their data as well as the right to be notified of any security breaches. The CCPA does not cover data breach notification or data security implementation.
Experts suggest that companies carefully inventory all personal information received from California residents to ensure their ability to comply with requests for access, to delete, etc. Businesses should clearly, and in multiple places, provide a means by which to contact the company and request data. They should also display a clear opt-out link on their homepage that allows consumers to indicate they do not wish to have their personal information sold.
Companies should establish processes by which to verify the identity of anyone submitting a request, to complete requests in a timely manner, and to ensure that the opt-out period is a full twelve months. As they establish a compliance process, they should also establish guidelines for documenting their actions. Businesses should also update all privacy policies to reflect the changes.
The potential financial impact on consumers remains to be seen. Toll-free numbers, notices, required mechanisms, etc. will cost businesses to establish and maintain. Larger companies may be able to absorb much of the costs but smaller companies will, undoubtedly, pass the expenses down to consumers.
The time between now and the January 2020 CCPA implementation date provides ample opportunity for further shaping of the regulations. It is expected that the California legislature will work to simplify and align the CCPA and previously existing privacy laws.
Is this something that could affect your business? Wondering if your marketing falls safely within other privacy and compliance best practices? Contact us today for a free 30-minute strategy consult.