What California's new CCPA will mean for Your Business
Inspired by the General Data Protection Regulation (GDPR) that came into effect across the European Union (EU) in 2018, California enacted one of the most comprehensive laws created to protect consumer rights.
On June 28, 2018, California voted the California Consumer Privacy Act of 2018 (“CCPA”) into law. The CCPA will go into effect on January 1, 2020, giving companies across the country only eight more months to prepare for the impact of this new law.
What CCPA Means For Businesses and What Are Your Major Compliance Requirements?
The CCPA is designed to give consumers more control over their own data. Under this law, consumers have the right to know what data a company has about them, why a company is collecting this data, the right to say no to their data being sold or shared with third-parties, the right to delete their own data, and numerous other protections.
Consumers will soon have the right to ask businesses for the data they have on them, which means they will need to disclose everything collected on that customer from the previous 12 months. This can include “IP Address, physical location, browsing history, search history, or other such information that could be used to identify a consumer.”
CCPA is primarily designed as a way of protecting Californian citizens. However, the law has nationwide and international ramifications, for businesses that generate revenue from selling goods or services to Californians, and those - such as technology and marketing companies - that collect or process data on Californian citizens.
The CCPA has a long list of significant requirements that a business subject to the law must comply. Some of the most important of these are:
Duty to Disclose: If requested, you must provide a customer with the data you have on them (as part of complying with this obligation, on a companies website, the Privacy Policy should clearly state what data is being collected and how that personal data is being used);
Duty to Provide Access to Data: If requested, you must provide a customer access to that data, covering at minimum all of the data collected during the previous 12 months.
Duty to Delete: If requested by a customer, you need to delete all the data you have obtained about a customer, including if this data is stored on the server of a third-party company that is contracted to provide services to your company. Although, there are a number of exceptions to this, including when a company is processing a transaction for a customer, or when deleting it would prevent compliance with a legal obligation.
Customer Opt-Out: if requested, you must allow a customer to opt-out of you sharing their data with any third-party, including a service provider. It should also be noted that, for minors, ages 13-16, customers must specifically opt-in, thereby giving them greater protections under the law.
A duty to provide equal service. There should be no penalty for customers who opt out: a business must provide the same service at the same price to a customer who opts out of any data collection as it charges a customer who does not opt out, nor any denial of goods or services.
While the above requirements may seem simple enough, it’s important to note that the CCPA has numerous additional conditions related to each these requirements as well as multiple exceptions setting out when these requirements do not apply.
If Your Business is Located Outside California, Why Should You Care?
The CCPA is specifically designed to apply to both California-based businesses and businesses located elsewhere (for example, in New York) that do significant business in California even if they are not located in California. That means that if you have a business that sells goods or provides services across the United States, there is a very real chance that the CCPA will apply to you.
Qualifying Criteria: Your business will be subject to the CPPA if, first, your business deals with any kind of personal information of Californians even if the business does not maintain a physical presence in the state, and, second, if even ONE of the following criteria applies:
The business generates annual gross revenue in excess of $25 million; or
The business receives or shares personal information of more than 50,000 California residents annually; or
The business derives at least 50% of its annual revenue by selling the personal information of California residents.
Smaller businesses should be very careful here: you may not think the CCPA applies to you because you are not generating $25 million in annual gross revenue yet.
However, if you have any online presence and are marketing, advertising to and/or doing business customers or users located all over the United States, you may very well be receiving or sharing the personal information of more than 50,000 California residents in a year just by your normal business operations.
What are the potential consequences of non-compliance?
Government Fines: the law allows the Attorney General of California to fine a business $2,500 per accidental violation of the law and $7,500 per intentional violation. And while the law is not 100% clear on the matters, it looks like these will be fines per affected consumer not simply ‘per incident.’ So, for instance, if a business accidentally violated the CCPA and 100 consumers were affected, the total fine could be as high as $250,000! The good news is that the CCPA requires that a business will be provided with 30 days to fix any non-compliance before a fine can be applied.
Actions by Consumers: a consumer can also bring a legal action against a business if any unencrypted or unredacted personal information has been exposed due to a business’s failure to maintain appropriate security safeguards. In that case, the CCPA provides for damages of $100 to $700 or a consumer can sue for damages actually suffered.
MGLS: Simplifying consumer data protection law, wherever you are: Ask A Question or Schedule a Meeting/Call.
Disclaimer: This article constitutes attorney advertising. Prior results do not guarantee a similar outcome. MGLS publishes this article for information purposes only. Nothing within is intended as legal advice.