Many executives viewed the European Union’s General Data Protection Regulation (GDPR) with consternation. There seems to be less widespread concern about the CCPA, but many in the privacy community see it as a sea change in U.S. consumer privacy. Initially, the California legislature rushed the CCPA through with little debate. Both industry and privacy advocates saw potentially troublesome loopholes and ambiguities. A nearly two-year delay before implementation allowed the California legislature, with input from industry and the privacy community, to fix some of those issues. Important provisions were changed, and others added, but some ambiguity remains.
Who the CCPA applies to didn’t change. The CCPA seeks to protect only California residents, defined as consumers.
It applies to for-profit California businesses that:
- Earn annual gross revenues in excess of $25 million.
- Annually buy, receive, sell or share the personal information of 50,000 or more California residents.
- Derive 50% or more of their annual revenues from selling California residents’ personal information.
The state has taken a broad view of what it means to do business in California. It includes offering goods or service in the state – even if the business has no physical presence there. For most companies, the first step toward compliance will be to examine closely their data subjects to determine if the CCPA applies to them.
Consumer rights under the CCPA generally stayed the same and fall into 5 categories:
- The right to know whether and what information is being collected about them. Businesses must disclose in advance the information they collect. They have to respond to consumer requests for the categories and specific pieces of personal information collected, the categories of sources from which the information is gathered, the business purposes for collecting or selling the information, and the categories of third parties that receive the information.
- The right to opt out of the sale of their personal information.
- The child or a guardian must opt in before a business can sell personal information of a minor aged 13-16. A parent or guardian must give consent for minors younger than 13.
- The right to access, receive a copy of or delete personal information held by businesses.
- The right not to face discrimination for exercising any rights under the CCPA. This would include denying the consumer goods or services, charging a different price, providing a different level or quality of goods or service, or suggesting that any of these things may happen.
What the CCPA applies to changed slightly. Businesses subject to the CCPA must reconsider how they treat a broad range of information on California residents. The act is primarily intended to protect personal information, which it defines as “information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”
That innocuous definition has the potential to cover a vast array of data categories – some obvious, some less so. For example, it includes basics such as birth date, address, social security number and other identifiers. However, it also includes biometrics, internet browsing and search history, geolocation data, and audio, electronic, visual, thermal and olfactory information. The second step toward compliance is for companies to inventory data categories to determine if they maintain protected data. They may learn that they have far more personal information than they realized.
There are important exceptions. After the act’s initial passage, publicly available information and de-identified or aggregated data that can’t be linked to an individual was excluded.
The CCPA places four additional requirements on businesses independent from the rights given to consumers.
They must:
- Train employees to respond to consumer requests.
- Provide methods for consumers to exercise their rights.
- Ensure that vendor agreements require the vendor to limit the use of personal information and comply with the CCPA.
- Implement reasonable security measures.
This final independent requirement may turn out to be the CCPA’s most significant provision. The act lets consumers sue a business if their unencrypted, unredacted personal information is subject to a breach because the business failed to enact reasonable security procedures. Even if a consumer suffers no actual damages, they may be able to sue for statutory damages, which can range from $100 to $750 per consumer, per incident. At first glance, this may not seem like a huge sum. But when you consider the millions of consumers affected in the largest data breaches, the numbers are staggering.
The CCPA changes the U.S. privacy landscape. It’s the first comprehensive, domestic consumer data privacy legislation, but it certainly won’t be the last. Already other state legislatures are following California’s lead and debating their own data privacy legislation. Until federal legislation preempts state regulations, businesses must comply with an ever-growing patchwork of state laws. There’s recently been promising bipartisan effort in Congress to pass data privacy legislation, but the scale of the issue and fundamental differences between privacy activists and industry suggest it may be a while before we reach a solution.
As with GDPR, a committed privacy program with buy-in from all company sectors and leadership is critical to compliance. The same will be true of the next privacy regulation, and the one after that. Building a strong privacy program is a significant, ongoing task. A privacy professional can help companies through the process. The first step is understanding the data and how it’s used.
Many worry that privacy regulations like the CCPA will cripple innovation and create unnecessary costs. Yet, the GDPR showed that a strong privacy program helps companies excel. The CCPA will be the same. Regulation may not always be the best way to force change, but a strong privacy program and commitment to privacy can give companies a competitive advantage.