With new breaches happening every day, businesses that don’t act quickly to comply with an intersecting web of increasingly-strict privacy standards are going to find themselves in some very sticky situations. We’ve written about GDPR and New York’s SHIELD act and how to ensure that your business is in compliance with the far-reaching implications of these two standards. Now it’s time to talk California’s Consumer Protection Act (CCPA). With the fifth largest economy in the world, California has reacted accordingly and will roll out its new data privacy standards in January 2020.
IBM’s Data Privacy study, conducted by Forrester Consulting, presents some troubling numbers. It reports that “as few as 28% of respondents have complete confidence in their firms’ ongoing ability to adhere to privacy requirements, even though 77% expect the number of data privacy regulations to grow. And when asked about compliance with the imminent California Consumer Privacy Act (CCPA), set to take effect in January 2020, nearly 80% of those whose companies must comply confirmed this is still a work in progress.”
The Wall Street Journal confirms: “The California law was passed last summer, but many companies delayed preparations during the lengthy amendment process. In a survey PwC conducted last year, only 52% of respondents said they expected their company to be CCPA-compliant by January 2020.”
The law, which was designed to hold Silicon Valley tech giants accountable in the wake of egregious breaches and foreign attacks, affects any company that earns at least half its revenue by selling the personal data of California residents, or receives or shares the data of more than 50,000 California individuals, or boasts revenue over $25M – which is about 500,000 companies by the WSJ’s estimate.
The law essentially requires all affected companies to be able to tell consumers what personal data they have collected and stored. Consumers must also be allowed to opt out of having their data stored and/or sold by the company. This is easier said than done as most companies currently have no central tracker in place to know what data they have, what they’ve sold, and even where it might be stored.
Larger companies may already be off to a good start in terms of CCPA compliance – especially if they operate in Europe and have been required to comply with GDPR which took effect last year. Likewise, CCPA is expected to become a gold standard for the rest of the U.S., which means that even if a business does not operate in California, the state where it is domiciled is likely to soon follow suit. Still, PwC’s analysis predicts that any Fortune 500 company will spend at least $100 million on compliance in the law’s first year.
The law will likely not be enforceable until the summer of 2020. But don’t procrastinate; businesses that do not comply with customer data requests (which can start rolling in on January 1, 2020) within 45 days will be subject to hefty fines and possible civil litigation. And, in the event of a breach, the company will be liable for up to $7,500 in damages per person affected. If the law had been in place before the breach at Capital One, (which operates in California), where 106 million people were affected, the company would have had to pay $795B, or almost one trillion dollars.
So if your business operates in California, (or even if it doesn’t) and you’re one of the 50%-80% of businesses that are still scrambling, here’s what you should know to keep the lights on:
What Counts as Personal Information?
The International Risk Management Institute provides an expert unpacking of CCPA, and outlines the types of data consumers are allowed to request under CCPA. Keeping in mind that consumers can request specific pieces of collected data, they can also request the following:
- Categories of personal information collected
- Where the information was sourced
- The business’s purpose for collecting personal information
- Third parties with which consumer information is shared
If you are a business that sells personal consumer data, you are also expected to expand upon these categories and explain why and to whom you have sold any collected data. Going forward, CCPA also requires businesses to notify consumers when their personal data is being collected – at or before the time of collection. Businesses are also expected to allow consumers to opt out of data collection from the start (with a clearly displayed link on their website or app). They are not allowed to discriminate against consumers who choose not to have their data collected or sold, with the caveat that businesses can create tiers of service based on data-collection preferences. A business cannot collect or sell data belonging to consumers ages 13-16 without the approval of a parent or guardian.
CCPA does not apply where it conflicts with a business’s ability to comply with a federal, state or local law or to de-identified data, which means it has been scrubbed of personal identifiers linking it to a person. And, CCPA cannot conflict with HIPAA and several other healthcare laws, as well as the California Financial Information Privacy Act. You can find more details here.