California took a big step this year, passing the first consumer privacy act in the country. It’s the only state to give its residents similar protections to what you’d find in the General Data Protection Regulation (GDPR). The Act allows them to see how their information is being used and gives them more control over the sharing of their data.
The California Consumer Privacy Act (CCPA) of 2018, Assembly Bill No. 375, went into effect in January 2020. That has left many brands wondering what that means for them and their consumer base. Not only do the companies want to ensure they are being compliant, but they also want to do it quickly.
To help you with that, here’s what we will cover in this guide:
Let’s start with the basics of the Act — what it is and isn’t — and how it could affect your brand.
As the name suggests, this bill is focused on protecting consumer privacy. That includes how companies use and/or sell their personal information and data, giving consumers more control over how that’s handled.
The bill grants consumers the right to:
The main point of the bill is to give any California consumer the right to demand to see the information a company has saved on them. It also allows consumers to see a full list of the third parties that data is shared with.
Here’s the timeline for the California Consumer Privacy Act:
We have passed that grace period, so companies need to get on the fast track for becoming compliant.
The CCPA impacts all companies that serve California residents and have at least $25 million in annual revenue. It also affects companies of any size that have personal data on at least 50,000 people — or that collect more than half of their revenues from the sale of personal data. Your brand doesn’t actually have to be based in California to be included in this bill. It only matters if you reach people who live in the state and also fall in a covered category.
The CCPA doesn’t apply to:
If any of the criteria above fits your company, you’ll need to take steps to become compliant now — because this law is already being enforced.
The bill describes personal information as information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked to a specific consumer or household. Here’s the list shared in the bill of what all that includes:
Don’t let that list overwhelm you. Here are a few specific examples pulled from that of what is considered personal information:
If you’re using any of that information and fit the criteria for businesses included in this bill, you will need to become compliant right away if you aren’t already.
You’ve probably heard of the EU’s GDPR by now. The CCPA was put into place to protect consumer information, so in that respect, it’s similar to the GDPR. Here are a few other similarities the two share:
However, that’s about where the similarities end. The GDPR regulates what disclosures companies can make to data subjects. It also oversees the procedures for data breach notifications, data security implementation, and more. It also includes additional rights for the data subjects, like the right to rectification, be forgotten, and not to be a subject of a decision based on automated processing.
On the other hand, the CCPA is more limited and mainly focuses on consumer privacy rights and disclosures made to consumers. While it is less comprehensive than the GDPR, that doesn’t mean it has a narrow scope or can be ignored. This Act still requires companies to make some major changes to become compliant.
Another major difference between the two is how they approach opt-ins and opt-outs. With the GDPR, users must opt-in to give their consent. However, with the CCPA, companies can simply include an opt-out (Unsubscribe) option in their messages — instead of having to earn the opt-in to begin with. Businesses can’t sell personal information after they receive an opt-out request unless the consumer gives you authorization allowing you to do so again. Also, companies have to wait at least 12 months before asking a consumer to opt back into the sale of their personal information.
Remember: Being GDPR-compliant doesn’t mean being CCPA-compliant, or vice versa.
The California Consumer Privacy Act is light on requirements for security and breach response compared to the GDPR. However, the Act does give fines (more on that below) for companies that expose consumer data because of a security lapse or breach. It also allows courts to offer “injunctive or declaratory relief,” or, “any other relief the court deems proper.”
Companies aren’t required to report breaches under the Act, requiring consumers to file complaints before fines are possible. So, the best course of action to improve security is to know what data the CCPA defines as private and take steps to secure that.
Unfortunately, there isn’t a magical switch that you can flip to ensure all of your consumer data is compliant with the CCPA. So, we’ve put together this overview to show you how to comply from start to finish.
In addition to covering your bases with the collected consumer data, there are other actions companies are required to take by the Act. Businesses must make two or more designated methods available to consumers that allow them to submit requests for information. That includes, at minimum, a toll-free telephone number and a website, if the company has one.
Companies must also disclose and deliver the required information to the consumer free of charge within 45 days of receiving a verifiable request from the consumer. You can extend that time period by an additional 45 days, when reasonably necessary. But, you must provide the consumer with a notice within the first 45-day period. You can’t require a consumer to create an account with your business to make a verifiable request.
Staying CCPA-compliant is a continuous process, just like it is to add new consumers to your database.
If you receive a consumer request, there are a few things you will need to do. The specifics will depend on their request, like if they want you to disclose the information on their data vs. they want to be deleted.
But generally, there are a few steps you can start with after receiving a request:
Again, this is why it’s important to properly classify consumer data from the start. Yes, it takes extra effort at the beginning, but it will save you greatly in the future if/when you receive requests.
Companies will have 30 days to comply with the Act once regulators notify them of a violation. From there, if they don’t resolve the issue, the company can face a fine of up to $7,500 per record. Unintentional violations are subject to fines of up to $2,500 per violation.
Also, companies that are affected by a data breach because of unreasonable information security can be ordered to pay fines between $100 to $750 per California resident involved with the incident — or damages, whichever is greater — in a civil class-action lawsuit. Remember that with statutory damages, the consumer doesn’t have to prove they incurred an actual financial loss. They just have to show the company violated the law.
Companies who aren’t compliant are risking significant fines when you factor in each impacted customer and/or non-compliant action.
With little leadership on the matter on the federal level, it’s not much of a surprise that California created its own privacy law. More states are sure to take note of what the Golden State is doing. So, even if this Act doesn’t affect your business now, something similar might soon.
Companies need to make smart decisions about how they handle their data security and privacy practices. If the past few years have taught us anything, it’s shown companies they should constantly monitor their systems for possible threats.
While this bill might not be as much of a burden on security as the EU’s GDPR, at least in some areas, things can always change. The true effects of the CCPA might not be seen for years. But, it’s clear consumer privacy will continue to be a hot topic across the country and beyond.