Following the debut of Europe’s General Data Protection Regulation (GDPR), US companies started worrying about when data collection and privacy regulations would arrive in North America. As might have been anticipated, the first state to take on the issue was progressive-leaning California. In late June 2018, the state government passed the California Consumer Privacy Act or CCPA*. It is set to go in effect in 2020.
What Is In the CCPA?
The big difference between GDPR regulations and the CCPA is that the latter requires opt-out consent, while the GDPR requires opt-in. A year after GDPR went into effect, businesses are thinking harder about just how much data they need, and consumers are more aware of how companies collect and use their data, and how well they safeguard that data. No one is certain whether GDPR has improved consumer comfort with businesses’ use of data, or just added a new level of irritation around all of the opt-in requests.
The consumer and data privacy law is making its way through the California State Assembly amendments process, and must receive final approval in early September.
Lawmakers continue to add rules for information collected for customer loyalty programs, and for how businesses must respond to consumer requests for copies of their personal information. The International Association of Privacy Professionals reported that 55% of US privacy professionals expect to be in compliance with the CCPA by January 1, 2020, with another 25% expecting that status by July 1, 2020, when the law will become enforceable.
What the CCPA Requires
Companies with annual gross revenues totaling $25 million or more, those that buy or sell customer data on more than 50,000 individuals, and those that make more than half of their annual revenues from selling customer data must comply with the following CCPA rules:
- California residents are allowed to ask what information companies collect about them.
- Data collected must be made available via mail or email should individuals request it.
- Companies must provide explicit information on how and to whom personal information is sold and shared, and for what reasons.
- Companies must honor individuals’ requests to opt out of data collection and sale.
- Companies must honor any individual’s request to have their personal information deleted. Companies may be exempted from complying if that information is necessary for security reasons, or certain other exceptions.
- Companies may not bar individuals from continuing to receive goods and services if they opt out of sharing personal information. But, companies are permitted to incentivize consumers to share their information, such as by charging individuals different levels of quality of service for opting out.
Smaller companies will be most vulnerable to fines for violating privacy regulations. The CCPA’s minimum finefor a data breach are $100-$750 per affected Californian. Bigger companies may be able to absorb that cost, but smaller firms will feel the pain. Companies that do business in California should check to see how they will be impacted by the CCPA, and take steps to comply.
Why businesses (and their agencies) need to plan for privacy compliance now
The CCPA is expected to be the first of many new data privacy regulations, and most digital marketers and tech observers anticipate federal regulation will happen. They recommend companies adopt a global data policy strategy. Key policies include user consent (opt-in to have data collected and shared); terms of liability; and establishment of compliance oversight. Following are a few compliance to-dos:
- Designate a data protection/compliance officer.
- Map the user data the company collects, how the data is used, who it is shared with, et. al.
- Discuss data compliance with all partners.
- Ensure agreements protect your firm.
- Review management processes for consent and user data collection regularly.
Data privacy is a growing concern for consumers, and ethical companies need to work toward better, more thoughtful data collection, use and security. The CCPA is your second opportunity, following the GDPR. Don’t be caught with your privacy drawers down when additional regulation looms. Start the compliance planning today so you are prepared to shift to the new regulatory environment.
*Not to be confused with the state of New York’s CCPA. The Climate and Community Protection Act is aimed at investing in climate change response across all sectors of the state economy, with one area of focus ensuring that low-income communities of color, often most affected by industrial pollution and effects of climate change, will have a strong voice in planning and decision-making.