Everything You Need to Know About the California Consumer Privacy Act (CCPA)

The Way We Treat Personal Data is Changing

There are three types of people when it comes to data privacy:

Those who willingly sign-up for online surveys that request the rights to your first-born child in hopes of receiving $1 in reward points on an obscure app;

Those that believe Facebook, Google, and Amazon are a secret cabal of identity thieves.

And, more commonly, people who are becoming aware that their digital footprint is a real thing and that, in the wrong hands, their data can be misused.

With events like the Cambridge Analytica scandal and the Equifax data breach happening more frequently, government officials are beginning to address consumer privacy concerns. Leading us to the newest digital precedent in the United States, the California Consumer Privacy Act (CCPA).

What is the California Consumer Privacy Act?

The CCPA, also known as Assembly Bill No. 375, is a legislative initiative that was enacted in 2018 to enable more stringent privacy rights to California consumers. This is by far the strictest data privacy legislation in the United States and has similarities to the European Union’s GDPR guidelines that went into effect in 2018.

The new law empowers California’s 38 million digital users to take control of their online footprint. These new data privacy protections include:

The right to know. California consumers have a right to know what personal information is being collected about them. This covers the right to know whether their personal information is being sold and to whom.

The right to access. California consumers are allowed to request a copy of their personal data profile.

The right to say no. An extension of knowing who their information is sold to, Californians have the right to say no to the sale of that personal information. This also includes the ability to opt-out of services and contact (emails, direct mail, texting, phone calls, etc.).

The right to delete. California consumers have the right to request deletion of their personal data.

The right to equal service. No organization can discriminate in terms of services or price if a California consumer chooses to exercise their right to data privacy under the CCPA.

For companies, this means updating privacy policies, increasing data security, reacting to consumer queries, and implementing internal processes to handle data privacy requests.

If a company is found in violation of these new regulations the State’s Attorney General will have the authority to levy fines for each instance of violation. Only under certain scenarios, like a data breach, will consumers be able to bring suit under the CCPA guidelines.

If you’re interested in reviewing the full text of the California Consumer Privacy Act, it can be found on the California Legislative website.

California Consumer Privacy Act Applicability

The first question everyone is asking is: who does the California Consumer Privacy Act affect? There is different information floating around and that’s mostly because the bill has gone through multiple rounds of revision, including receiving input from public forums. Luckily, the California Legislature’s final revision is publicly available and fairly straightforward:

Any organization collecting, buying, or selling data from California residents for business purposes and is either:

  • Yearly gross revenues of $25 million or greater,
  • Buying, selling, or receiving 50,000+ pieces of personal information on consumers, households, or devices,
  • Deriving 50%+ of annual revenue from selling consumers’ personal information.

When business services are referenced this can include selling advertising, analytics, servicing accounts, providing customer service, processing orders, information verification, and payment processing. Essentially, if your organization comes into contact with California customer data that is providing economic value it is considered under the CCPA umbrella.

The second most common question everyone’s asking is: does the CCPA apply to companies outside of California? The answer is yes, as long as you are coming into contact with the data of California consumers and fall into one of the above categories.

Additionally, there is a clause that indicates third-party service providers of organizations that fall into the CCPA guidelines should take steps towards compliance. This most likely has to do with service providers that work on, host, and come into direct contact with their customer’s databases. If these databases are saved locally or backed up by hosting providers, then consumer requests to remove data need to be taken into consideration by the servicing companies.

When Does the California Consumer Privacy Act Go Into Effect?

The CCPA goes into effect on January 1st, 2020. Although, organizations that aren’t in compliance will be given a 6-month grace period to adopt the proper regulations. Official enforcement by the California Attorney General will begin July 1st, 2020. With that being said, it’s best to begin the compliance process sooner rather than later.

How to Comply With the CCPA Guidelines

To be in compliance with the California Consumer Privacy Act, website owners will have to make a couple of changes. Some of these changes could prove to be costly and should be considered in upcoming digital budgets. The California Department of Justice offered a preliminary estimate of a minimum of $467 million in compliance-related expenses over the next 10-years. For companies that have already implemented GDPR procedures, many of these changes will already be in place.

Here’s how businesses should begin:

  • A privacy policy linked from your global site footer that defines how you use, collect, sell, share, and secure consumer data.

  • A clear link to a data request page with a request form or email address for users to reach out with data requests. The California Legislature suggests (not requires) titling this page “Do Not Sell My Personal Information” however, many companies are using terms like “Privacy Request Page” and “Privacy Center”.

  • Include a description of consumer’s rights (as stated within the Consumer Privacy Bill) in your privacy policy while also linking to the associated privacy request page. It’s also suggested that you include a California-specific description regarding the new CCPA rights.

  • Maintain strict opt-out internal policies. Consumers can opt-out of data collection, sale of data, contact, or all three. If a consumer makes one of these requests then respect that request ASAP. Make sure there is an employee who is in charge of monitoring, responding, logging, and handling these requests.

  • Have an internal procedure that dictates how consumers will receive a copy of their data on request, how data profiles will be opted out of certain scenarios, or entirely deleted.

California Consumer Privacy Act Fines & Citations

Primary litigation under the CCPA will be brought by the California Attorney General. They will have the ability to produce fines of up to $7,500 per violation. For companies with databases in the thousands or even millions of data profiles, these citations will quickly add up.

Offending organizations will be given 30-days to respond to written violations and remedy their error before legal action is taken. While the California Attorney General will primarily be responsible for bringing litigation to those in violation of CCPA, individuals affected by violations will be given the right to pursue similar damages if the Attorney General fails to bring action within 6-months of the violation being reported.

Additionally, in the case of a data breach, individual consumers will be able to claim damages through litigation of $100 - $750 per violation. While those amounts can sound insignificant, claims from a data breach add up quickly. For example, the California Department of Justice reported the Equifax breach affected 147 million consumers, 15 million of which were California residents. If this breach would have happened after the CCPA was instituted it would’ve resulted in a $1.5 - $11.25 billion settlement with California consumers alone.

Where to start

The California Consumer Privacy Act will be a big change to companies that haven’t updated their digital data processes. We highly suggest any organization that does business in California to speak with a lawyer that is familiar with digital data policies before California begins enforcing the new CCPA regulations.

While the newest legislation in data privacy might not affect everyone yet, the digital community is seeing an enormous spike in privacy-related bills introduced in state legislatures. The National Conference of State Legislatures reported there have been 151 bills introduced in 25 states that are related to data privacy in 2019. Personal data has become a hot-button issue and sooner or later companies will be forced to act. It will pay long-term dividends to update data protection policies before facing consequences.

If you need a consultation in regards to website changes to assist in CCPA compliance, contact us and we will be happy to help.