California’s controversial privacy law California Consumer Privacy Act (CCPA) officially took effect on January 1, 2020, and it certainly did not go unnoticed. Passed and signed late in June 2018, the CCPA or AB 375 gives California consumers the right to see any information that organizations hold about them, and has led to frantic changes in the ways that businesses use information.
Data security needed
Your company doesn’t even need to be based or have a physical presence in California for the CCPA to apply. If you have clients or customers who are residents of California, then you need to start working on CCPA compliance.
Companies covered by the CCPA now have less than six months (starting from January 1) to become fully compliant with CCPA guidelines. However, from 2020, consumers are already allowed to start asking for the data any company has collected about them over the previous year. So, technically, if you’re covered by the CCPA, you should have had your data tracking systems in place at the beginning of 2019–something that many companies simply were not prepared for at that time.
Who must comply with CCPA?
The CCPA encompasses all business establishments (this includes all for-profit entities that collect personal data from consumers) that conduct their business in California, and fulfill any of the following conditions:
- Your business serves residents of California or
- Your business generates a minimum of $25 million per year or
- Your business has collected the personal data of at least 50,000 people or
- Your business gets more than 50 percent of its revenue from selling personal data
The only exceptions to the CCPA guidelines are “insurance institutions, agents, and support organizations” as these are already being regulated through the California Insurance Information and Privacy Protection Act (IIPPA).
Personal information according to the CCPA
According to the CCPA, sensitive data or personal information includes your real name, alias, postal address, email address, IP address, passport number, account name, driver’s license number, social security number, and other related identifiers. This is not just for online retailers or big data houses. If you collect info for something as simple as an email newsletter or analyze website traffic – you are collecting personal data.
The key provisions of the CCPA include the following:
- Businesses are required to share consumer data they collect, what they do with the data and any third parties with whom the data is shared.
- Businesses must comply with formal requests for data deletion from consumers.
- Consumers have the right to opt-out of data collection.
- Businesses can offer financial incentives to consumers who agree to data collection.
- Companies that violate CCPA guidelines will be fined by California authorities.
As with any new law or statute, it may take years for the regulators and affected businesses to fully grasp the effects of the CCPA. Currently, however, affected industries have no choice but to follow the law.
Consequences of CCPA non-compliance
If your company violates the CCPA, you have 30 days to comply with CCPA guidelines. You can be fined up to $7,500 per record if the complaint filed against you remains unresolved. Although fine conditions and amounts may vary, it is better to be aware and prepared to avoid these complications.
Also, the financial risk of CCPA non-compliance is very real, as a consumer has the right to sue at the first instance, and the bill also permits the filing of class action suits. Companies have a 30-day window to address a complaint (e.g. customer data disclosure) from the time a consumer formally gives a written notice concerning the violation of their privacy rights.
Companies that have taken steps to meet the requirements of the European Union’s General Data Protection Regulation (GDPR) may find it easier to comply (or may already be compliant) with the CCPA.
But, if this is the first time you’ll be working on CCPA compliance, your security team would do well to work with database administrators closely. You need to address concerns involving tracking, accessing, and storing data. Access to consumer data should also be secured efficiently, and ready in case a verified consumer asks for it.
What’s in store?
It’s still early days yet and it is difficult to accurately assess and fully understand the long-term effects of the CCPA, both in California and beyond. Tech companies are already pushing for the creation of a new federal privacy law that’s designed to prevent the implementation of further state-by-state requirements.
What’s clear, however, is that the initial “housekeeping” tasks required to ensure CCPA compliance are likely to be difficult and challenging for businesses. Still, the risks of non-compliance are severe, and no company wants to end up on the wrong side of these regulations.
If you need assistance in determining if your company meets the threshold and need remedy options, give us a call at 563-441-1504 or reach out online.